@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

package/dist/server/http.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"http.d.ts","names":[],"sources":["../../src/server/http.ts"],"mappings":";;;;;;;;;AAsEA;;;;;;;;;;;;;;;;KAAY,eAAA,IACP,WAAA;EAoBO,oEAlBN,MAAA;EAEA,GAAA;AAAA,MAED,WAAA;EAiBC,oDAfA,MAAA,SAmBF;EAjBE,GAAA,EAAK,cAAA;AAAA;AAsCX;;;;;;;AAAA,KA5BY,uBAAA,IACP,mBAAA;EA4CU,6CA1CT,MAAA,QA0CqB;EAxCrB,GAAA;AAAA,KAEF,eAAA;;;;;;;;;;;;;;;;;;;;KAqBQ,qBAAA,kBACO,MAAA,oBAA0B,MAAA;EAwB3C;;;;EAlBA,QAAA;EAoBE;;;;;EAdF,OAAA,IACE,GAAA,EAAK,gBAAA,OACL,IAAA,EAAM,OAAA,EACN,IAAA,EAAM,eAAA,KACH,OAAA,CAAQ,QAAA,IAAY,QAAA;EAmIX;;;;;;;EA3Hd,WAAA,IACE,GAAA,EAAK,gBAAA,OACL,QAAA,QAAgB,OAAA,CAAQ,eAAA,aAEtB,OAAA,CAAQ,eAAA,uBACR,eAAA;AAAA;AAAA,iBAsHU,gBAAA,CAAiB,IAAA;EAC/B,GAAA;IAAO,MAAA,GAAS,GAAA,EAAK,gBAAA,OAAuB,MAAA,aAAmB,OAAA;EAAA;AAAA,KAG7D,OAAA,GACE,GAAA,EAAK,gBAAA,CAAiB,gBAAA,IAAoB,cAAA,EAC1C,OAAA,EAAS,OAAA,KACN,OAAA,CAAQ,QAAA,GAAW,MAAA,oBACxB,OAAA;EACE,KAAA;IAAU,QAAA;IAAkB,MAAA;EAAA;EAC5B,IAAA,GAAO,UAAA;AAAA,MAAU,eAAA,CAClB,gBAAA;AAAA,iBA6IW,eAAA,CACd,UAAA,EAAY,UAAA,QAAkB,gBAAA,KAG5B,IAAA;EAAQ,KAAA,GAAQ,MAAA;AAAA,GAChB,WAAA;EACE,IAAA;EACA,MAAA;EACA,OAAA,GACE,GAAA,EAAK,gBAAA,CAAiB,gBAAA,IAAoB,cAAA,EAC1C,OAAA,EAAS,OAAA,KACN,OAAA,CAAQ,QAAA,GAAW,MAAA;EACxB,KAAA;IAAU,QAAA;IAAkB,MAAA;EAAA;EAC5B,IAAA,GAAO,UAAA;AAAA;AAAA,iBA+BG,uBAAA,CACd,eAAA,UACA,MAAA,GAAS,GAAA,EAAK,gBAAA,OAAuB,OAAA,EAAS,OAAA,KAAY,OAAA,CAAQ,QAAA,KAEpD,GAAA,EAAK,gBAAA,OAAuB,OAAA,EAAS,OAAA,KAAO,OAAA,CAAA,QAAA;AAAA,iBAiD5C,UAAA,CACd,OAAA,EAAS,OAAA,GACR,MAAA;AAAA,KAIS,eAAA;EACV,QAAA;EACA,YAAA;EACA,QAAA;EACA,IAAA;AAAA;AAAA,iBA2Bc,eAAA,CACd,IAAA,EAAM,UAAA,EACN,IAAA;EACE,SAAA;EACA,OAAA;AAAA;AAAA,iBA0CY,aAAA,CACd,IAAA,EAAM,UAAA,EACN,IAAA;EACE,YAAA,GACE,GAAA,EAAK,gBAAA,OACL,OAAA,EAAS,OAAA,KACN,OAAA,CAAQ,QAAA;EACb,cAAA,GACE,GAAA,EAAK,gBAAA,OACL,OAAA,EAAS,OAAA,KACN,OAAA,CAAQ,QAAA;AAAA;AAAA,iBAwBD,YAAA,CACd,IAAA,EAAM,UAAA,EACN,IAAA;EACE,SAAA;EACA,uBAAA,SAAgC,uBAAA;EAChC,kBAAA,GACE,GAAA,EAAK,gBAAA,OACL,OAAA,EAAS,OAAA,EACT,KAAA,EAAO,eAAA,KACJ,OAAA,CAAQ,QAAA;EACb,gBAAA,GACE,GAAA,EAAK,gBAAA,OACL,OAAA,EAAS,OAAA,EACT,KAAA,EAAO,eAAA,KACJ,OAAA,CAAQ,QAAA;EACb,gBAAA,GACE,GAAA,EAAK,gBAAA,OACL,OAAA,EAAS,OAAA,EACT,KAAA,EAAO,eAAA,KACJ,OAAA,CAAQ,QAAA;EACb,kBAAA,GACE,GAAA,EAAK,gBAAA,OACL,OAAA,EAAS,OAAA,EACT,KAAA,EAAO,eAAA,KACJ,OAAA,CAAQ,QAAA;EACb,aAAA,GACE,GAAA,EAAK,gBAAA,OACL,OAAA,EAAS,OAAA,EACT,KAAA,EAAO,eAAA,KACJ,OAAA,CAAQ,QAAA;EACb,aAAA,GACE,GAAA,EAAK,gBAAA,OACL,OAAA,EAAS,OAAA,EACT,KAAA,EAAO,eAAA,KACJ,OAAA,CAAQ,QAAA;EACb,iBAAA,GACE,GAAA,EAAK,gBAAA,OACL,OAAA,EAAS,OAAA,KACN,OAAA,CAAQ,QAAA;EACb,SAAA,GAAY,MAAA,UAAgB,QAAA,UAAkB,MAAA,aAAmB,QAAA;AAAA"}

package/dist/server/http.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"http.js","names":["result","parseCookies"],"sources":["../../src/server/http.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport {\n  GenericActionCtx,\n  GenericDataModel,\n  HttpRouter,\n  httpActionGeneric,\n} from \"convex/server\";\nimport { ConvexError } from \"convex/values\";\nimport { parse as parseCookies } from \"cookie\";\n\nimport type {\n  AuthContext,\n  OptionalAuthContext,\n  UserDoc,\n} from \"./auth\";\nimport {\n  createUnauthenticatedAuthContext,\n  getAuthContextForUser,\n  getSessionUserId,\n} from \"./context\";\nimport type { CorsConfig, HttpKeyContext } from \"./types\";\nimport { logError } from \"./utils\";\n\ntype HttpContextAuthLike = {\n  user: {\n    get: (ctx: any, userId: string) => Promise<UserDoc>;\n    getActiveGroup: (\n      ctx: any,\n      args: { userId: string },\n    ) => Promise<string | null>;\n  };\n  member: {\n    inspect: (\n      ctx: any,\n      args: { userId: string; groupId: string },\n    ) => Promise<{\n      membership: unknown;\n      roleIds: string[];\n      grants: string[];\n    }>;\n  };\n  key: {\n    verify: (ctx: GenericActionCtx<any>, rawKey: string) => Promise<{\n      userId: string;\n      keyId: string;\n      scopes: HttpKeyContext[\"key\"][\"scopes\"];\n    }>;\n  };\n};\n\n/**\n * Auth context returned by `auth.http.context(ctx, request)`.\n *\n * This resolves raw HTTP authentication in two steps:\n * 1. session auth from `ctx.auth.getUserIdentity()`\n * 2. API key auth from `Authorization: Bearer sk_*`\n *\n * The `source` field tells you which authentication path succeeded.\n * When `source === \"key\"`, the verified API key metadata is available on\n * `key`.\n *\n * @example\n * ```ts\n * const authContext = await auth.http.context(ctx, request);\n * if (authContext.source === \"key\") {\n *   console.log(authContext.key.keyId);\n * }\n * ```\n */\nexport type HttpAuthContext =\n  | (AuthContext & {\n      /** The request authenticated through a browser or session token. */\n      source: \"session\";\n      /** No API key was used for this request. */\n      key: null;\n    })\n  | (AuthContext & {\n      /** The request authenticated through an API key. */\n      source: \"key\";\n      /** Verified API key metadata for the request. */\n      key: HttpKeyContext[\"key\"];\n    });\n\n/**\n * Nullable HTTP auth context returned by\n * `auth.http.context(ctx, request, { optional: true })`.\n *\n * This preserves a stable auth-shaped object for raw `httpAction` handlers\n * that allow anonymous callers.\n */\nexport type OptionalHttpAuthContext =\n  | (OptionalAuthContext & {\n      /** No authentication source was resolved. */\n      source: null;\n      /** No API key metadata is available. */\n      key: null;\n    })\n  | HttpAuthContext;\n\n/**\n * Configuration for {@link createAuth().http.context}.\n *\n * This mirrors {@link AuthContextConfig} for raw HTTP handlers and adds support\n * for enriching mixed session/API-key auth results.\n *\n * @typeParam TResolve - Extra fields returned from `resolve()` and merged into\n *   the resolved HTTP auth context.\n *\n * @example\n * ```ts\n * const authContext = await auth.http.context(ctx, request, {\n *   resolve: async (_ctx, user, authState) => ({\n *     email: user.email,\n *     isMachineRequest: authState.source === \"key\",\n *   }),\n * });\n * ```\n */\nexport type HttpAuthContextConfig<\n  TResolve extends Record<string, unknown> = Record<string, never>,\n> = {\n  /**\n   * Allow unauthenticated callers and return a null-shaped auth object instead\n   * of throwing `NOT_SIGNED_IN`.\n   */\n  optional?: boolean;\n  /**\n   * Attach additional derived fields to the resolved HTTP auth context.\n   *\n   * This callback runs only when authentication succeeds.\n   */\n  resolve?: (\n    ctx: GenericActionCtx<any>,\n    user: UserDoc,\n    auth: HttpAuthContext,\n  ) => Promise<TResolve> | TResolve;\n  /**\n   * Override or wrap HTTP auth resolution.\n   *\n   * Return `undefined` to use the built-in session-or-key resolver, `null` for\n   * an explicit unauthenticated state, or a fully resolved\n   * {@link HttpAuthContext}.\n   */\n  authResolve?: (\n    ctx: GenericActionCtx<any>,\n    fallback: () => Promise<HttpAuthContext | null>,\n  ) =>\n    | Promise<HttpAuthContext | null | undefined>\n    | HttpAuthContext\n    | null\n    | undefined;\n};\n\nfunction createNotSignedInError() {\n  return Cv.error({\n    code: \"NOT_SIGNED_IN\",\n    message: \"Authentication required.\",\n  });\n}\n\nasync function getHttpKeyContext(\n  auth: HttpContextAuthLike,\n  ctx: GenericActionCtx<any>,\n  request: Request,\n): Promise<HttpAuthContext | null> {\n  const authHeader = request.headers.get(\"Authorization\");\n  if (!authHeader?.startsWith(\"Bearer sk_\")) {\n    return null;\n  }\n\n  try {\n    const verified = await auth.key.verify(ctx, authHeader.slice(7));\n    const authContext = await getAuthContextForUser(auth, ctx, verified.userId);\n    return {\n      ...authContext,\n      source: \"key\",\n      key: {\n        userId: verified.userId,\n        keyId: verified.keyId,\n        scopes: verified.scopes,\n      },\n    };\n  } catch {\n    return null;\n  }\n}\n\nasync function resolveHttpAuthContext(\n  auth: HttpContextAuthLike,\n  ctx: GenericActionCtx<any>,\n  request: Request,\n): Promise<HttpAuthContext | null> {\n  const sessionUserId = await getSessionUserId(ctx);\n  if (sessionUserId !== null) {\n    const authContext = await getAuthContextForUser(auth, ctx, sessionUserId);\n    return {\n      ...authContext,\n      source: \"session\",\n      key: null,\n    };\n  }\n\n  return await getHttpKeyContext(auth, ctx, request);\n}\n\n/**\n * @internal\n * Create the implementation behind `auth.http.context(...)`.\n */\nexport function createHttpContext(auth: HttpContextAuthLike): {\n  <TResolve extends Record<string, unknown> = Record<string, never>>(\n    ctx: GenericActionCtx<any>,\n    request: Request,\n    config: HttpAuthContextConfig<TResolve> & { optional: true },\n  ): Promise<OptionalHttpAuthContext & TResolve>;\n  <TResolve extends Record<string, unknown> = Record<string, never>>(\n    ctx: GenericActionCtx<any>,\n    request: Request,\n    config?: HttpAuthContextConfig<TResolve>,\n  ): Promise<HttpAuthContext & TResolve>;\n} {\n  return (async (\n    ctx: GenericActionCtx<any>,\n    request: Request,\n    config?: HttpAuthContextConfig<any>,\n  ) => {\n    const fallback = () => resolveHttpAuthContext(auth, ctx, request);\n    const authOverride = config?.authResolve\n      ? await config.authResolve(ctx, fallback)\n      : undefined;\n    const resolved =\n      authOverride === undefined ? await fallback() : authOverride;\n\n    if (resolved === null) {\n      if (config?.optional !== true) {\n        throw createNotSignedInError();\n      }\n      return {\n        ...createUnauthenticatedAuthContext(),\n        source: null,\n        key: null,\n      };\n    }\n\n    const extra = config?.resolve\n      ? await config.resolve(ctx, resolved.user, resolved)\n      : {};\n\n    return {\n      ...resolved,\n      ...extra,\n    };\n  }) as {\n    <TResolve extends Record<string, unknown> = Record<string, never>>(\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      config: HttpAuthContextConfig<TResolve> & { optional: true },\n    ): Promise<OptionalHttpAuthContext & TResolve>;\n    <TResolve extends Record<string, unknown> = Record<string, never>>(\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      config?: HttpAuthContextConfig<TResolve>,\n    ): Promise<HttpAuthContext & TResolve>;\n  };\n}\n\nexport function createHttpAction(auth: {\n  key: { verify: (ctx: GenericActionCtx<any>, rawKey: string) => Promise<any> };\n}) {\n  return (\n    handler: (\n      ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,\n      request: Request,\n    ) => Promise<Response | Record<string, unknown>>,\n    options?: {\n      scope?: { resource: string; action: string };\n      cors?: CorsConfig;\n    },\n  ) => {\n    const corsConfig = options?.cors ?? {};\n    const corsHeaders: Record<string, string> = {\n      \"Access-Control-Allow-Origin\": corsConfig.origin ?? \"*\",\n      \"Access-Control-Allow-Methods\":\n        corsConfig.methods ?? \"GET,POST,PUT,PATCH,DELETE,OPTIONS\",\n      \"Access-Control-Allow-Headers\":\n        corsConfig.headers ?? \"Content-Type,Authorization\",\n    };\n\n    return httpActionGeneric(async (genericCtx, request) => {\n      return Fx.run(\n        Fx.from({\n          ok: async () => {\n            const authHeader = request.headers.get(\"Authorization\");\n            if (!authHeader?.startsWith(\"Bearer \")) {\n              return new Response(\n                JSON.stringify({\n                  error: \"Missing or malformed Authorization: Bearer header.\",\n                  code: \"MISSING_BEARER_TOKEN\",\n                }),\n                {\n                  status: 401,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                },\n              );\n            }\n            const rawKey = authHeader.slice(7);\n\n            const keyResult = await Fx.run(\n              Fx.attempt(\n                () => auth.key.verify(genericCtx, rawKey),\n                (result) => ({ ok: true, value: result }) as const,\n                (error) => ({ ok: false, error }) as const,\n              ),\n            );\n\n            if (!keyResult.ok) {\n              if (\n                keyResult.error instanceof ConvexError &&\n                typeof keyResult.error.data === \"object\" &&\n                keyResult.error.data !== null &&\n                \"code\" in keyResult.error.data &&\n                \"message\" in keyResult.error.data\n              ) {\n                const { code, message } = keyResult.error.data as {\n                  code: string;\n                  message: string;\n                };\n                return new Response(JSON.stringify({ error: message, code }), {\n                  status: 403,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                });\n              }\n              throw keyResult.error;\n            }\n\n            if (\n              options?.scope &&\n              !keyResult.value.scopes.can(\n                options.scope.resource,\n                options.scope.action,\n              )\n            ) {\n              return new Response(\n                JSON.stringify({\n                  error: \"This API key does not have the required permissions.\",\n                  code: \"SCOPE_CHECK_FAILED\",\n                }),\n                {\n                  status: 403,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                },\n              );\n            }\n\n            const enrichedCtx = Object.assign(genericCtx, {\n              key: {\n                userId: keyResult.value.userId,\n                keyId: keyResult.value.keyId,\n                scopes: keyResult.value.scopes,\n              },\n            });\n            const result = await handler(enrichedCtx, request);\n\n            if (result instanceof Response) {\n              const headers = new Headers(result.headers);\n              for (const [k, val] of Object.entries(corsHeaders)) {\n                if (!headers.has(k)) headers.set(k, val);\n              }\n              return new Response(result.body, {\n                status: result.status,\n                statusText: result.statusText,\n                headers,\n              });\n            }\n\n            return new Response(JSON.stringify(result), {\n              status: 200,\n              headers: {\n                ...corsHeaders,\n                \"Content-Type\": \"application/json\",\n              },\n            });\n          },\n          err: (error) => error,\n        }).pipe(\n          Fx.recover((error) => {\n            logError(error);\n            return Fx.succeed(\n              new Response(\n                JSON.stringify({\n                  error: \"An unexpected error occurred.\",\n                  code: \"INTERNAL_ERROR\",\n                }),\n                {\n                  status: 500,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                },\n              ),\n            );\n          }),\n        ),\n      );\n    });\n  };\n}\n\nexport function createHttpRoute(\n  wrapAction: ReturnType<typeof createHttpAction>,\n) {\n  return (\n    http: { route: (config: any) => void },\n    routeConfig: {\n      path: string;\n      method: \"GET\" | \"POST\" | \"PUT\" | \"PATCH\" | \"DELETE\";\n      handler: (\n        ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,\n        request: Request,\n      ) => Promise<Response | Record<string, unknown>>;\n      scope?: { resource: string; action: string };\n      cors?: CorsConfig;\n    },\n  ) => {\n    const corsConfig = routeConfig.cors ?? {};\n    const corsHeaders: Record<string, string> = {\n      \"Access-Control-Allow-Origin\": corsConfig.origin ?? \"*\",\n      \"Access-Control-Allow-Methods\":\n        corsConfig.methods ?? \"GET,POST,PUT,PATCH,DELETE,OPTIONS\",\n      \"Access-Control-Allow-Headers\":\n        corsConfig.headers ?? \"Content-Type,Authorization\",\n    };\n\n    http.route({\n      path: routeConfig.path,\n      method: \"OPTIONS\",\n      handler: httpActionGeneric(async () => {\n        return new Response(null, { status: 204, headers: corsHeaders });\n      }),\n    });\n\n    http.route({\n      path: routeConfig.path,\n      method: routeConfig.method,\n      handler: wrapAction(routeConfig.handler, {\n        scope: routeConfig.scope,\n        cors: routeConfig.cors,\n      }),\n    });\n  };\n}\n\nexport function convertErrorsToResponse(\n  errorStatusCode: number,\n  action: (ctx: GenericActionCtx<any>, request: Request) => Promise<Response>,\n) {\n  return async (ctx: GenericActionCtx<any>, request: Request) => {\n    return Fx.run(\n      Fx.from({\n        ok: () => action(ctx, request),\n        err: (error) => error,\n      }).pipe(\n        Fx.recover((error) => {\n          if (\n            error instanceof ConvexError &&\n            typeof error.data === \"object\" &&\n            error.data !== null &&\n            \"code\" in error.data &&\n            \"message\" in error.data\n          ) {\n            return Fx.succeed(\n              new Response(\n                JSON.stringify({\n                  code: error.data.code,\n                  message: error.data.message,\n                }),\n                {\n                  status: errorStatusCode,\n                  headers: { \"Content-Type\": \"application/json\" },\n                },\n              ),\n            );\n          } else if (error instanceof ConvexError) {\n            return Fx.succeed(\n              new Response(null, {\n                status: errorStatusCode,\n                statusText:\n                  typeof error.data === \"string\" ? error.data : \"Error\",\n              }),\n            );\n          } else {\n            logError(error);\n            return Fx.succeed(\n              new Response(null, {\n                status: 500,\n                statusText: \"Internal Server Error\",\n              }),\n            );\n          }\n        }),\n      ),\n    );\n  };\n}\n\nexport function getCookies(\n  request: Request,\n): Record<string, string | undefined> {\n  return parseCookies(request.headers.get(\"Cookie\") ?? \"\");\n}\n\nexport type SSORuntimeRoute = {\n  pathname?: string;\n  enterpriseId: string;\n  protocol: \"oidc\" | \"saml\" | \"scim\";\n  rest: string[];\n};\n\nfunction parseEnterpriseRuntimeRoute(\n  pathname: string,\n  routeBase: string,\n): SSORuntimeRoute | null {\n  const runtimePrefix = `${routeBase}/`;\n  const runtimeParts = pathname.startsWith(runtimePrefix)\n    ? pathname.slice(runtimePrefix.length).split(\"/\").filter(Boolean)\n    : [];\n  const [runtimeEnterpriseId, protocol, ...rest] = runtimeParts;\n  if (\n    runtimeEnterpriseId === undefined ||\n    (protocol !== \"oidc\" && protocol !== \"saml\" && protocol !== \"scim\") ||\n    rest.length === 0\n  ) {\n    return null;\n  }\n  return {\n    pathname,\n    enterpriseId: runtimeEnterpriseId,\n    protocol,\n    rest,\n  };\n}\n\nexport function addOpenIdRoutes(\n  http: HttpRouter,\n  deps: {\n    getIssuer: () => string;\n    getJwks: () => string;\n  },\n) {\n  const cacheControl =\n    \"public, max-age=15, stale-while-revalidate=15, stale-if-error=86400\";\n\n  http.route({\n    path: \"/.well-known/openid-configuration\",\n    method: \"GET\",\n    handler: httpActionGeneric(async () => {\n      const issuer = deps.getIssuer();\n      return new Response(\n        JSON.stringify({\n          issuer,\n          jwks_uri: `${issuer}/.well-known/jwks.json`,\n        }),\n        {\n          status: 200,\n          headers: {\n            \"Content-Type\": \"application/json\",\n            \"Cache-Control\": cacheControl,\n          },\n        },\n      );\n    }),\n  });\n\n  http.route({\n    path: \"/.well-known/jwks.json\",\n    method: \"GET\",\n    handler: httpActionGeneric(async () => {\n      return new Response(deps.getJwks(), {\n        status: 200,\n        headers: {\n          \"Content-Type\": \"application/json\",\n          \"Cache-Control\": cacheControl,\n        },\n      });\n    }),\n  });\n}\n\nexport function addAuthRoutes(\n  http: HttpRouter,\n  deps: {\n    handleSignIn: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n    ) => Promise<Response>;\n    handleCallback: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n    ) => Promise<Response>;\n  },\n) {\n  http.route({\n    pathPrefix: \"/api/auth/signin/\",\n    method: \"GET\",\n    handler: httpActionGeneric(deps.handleSignIn),\n  });\n\n  const callbackHandler = httpActionGeneric(deps.handleCallback);\n\n  http.route({\n    pathPrefix: \"/api/auth/callback/\",\n    method: \"GET\",\n    handler: callbackHandler,\n  });\n\n  http.route({\n    pathPrefix: \"/api/auth/callback/\",\n    method: \"POST\",\n    handler: callbackHandler,\n  });\n}\n\nexport function addSSORoutes(\n  http: HttpRouter,\n  deps: {\n    routeBase: string;\n    convertErrorsToResponse: typeof convertErrorsToResponse;\n    handleSamlMetadata: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleSamlSignIn: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleOidcSignIn: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleOidcCallback: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleSamlAcs: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleSamlSlo: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleScimRequest: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n    ) => Promise<Response>;\n    scimError: (status: number, scimType: string, detail: string) => Response;\n  },\n) {\n  const routePrefix = `${deps.routeBase}/`;\n\n  http.route({\n    pathPrefix: routePrefix,\n    method: \"GET\",\n    handler: httpActionGeneric(\n      deps.convertErrorsToResponse(400, async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (!route) {\n          throw Cv.error({\n            code: \"INVALID_PARAMETERS\",\n            message: \"Invalid enterprise runtime path.\",\n          });\n        }\n        if (route.protocol === \"saml\" && route.rest.length === 1) {\n          if (route.rest[0] === \"metadata\") {\n            return await deps.handleSamlMetadata(ctx, request, route);\n          }\n          if (route.rest[0] === \"signin\") {\n            return await deps.handleSamlSignIn(ctx, request, route);\n          }\n          if (route.rest[0] === \"acs\") {\n            return await deps.handleSamlAcs(ctx, request, route);\n          }\n          if (route.rest[0] === \"slo\") {\n            return await deps.handleSamlSlo(ctx, request, route);\n          }\n        }\n        if (route.protocol === \"oidc\" && route.rest.length === 1) {\n          if (route.rest[0] === \"signin\") {\n            return await deps.handleOidcSignIn(ctx, request, route);\n          }\n          if (route.rest[0] === \"callback\") {\n            return await deps.handleOidcCallback(ctx, request, route);\n          }\n        }\n        if (route.protocol === \"scim\" && route.rest[0] === \"v2\") {\n          return await deps.handleScimRequest(ctx, request);\n        }\n        throw Cv.error({\n          code: \"INVALID_PARAMETERS\",\n          message: \"Invalid enterprise runtime path.\",\n        });\n      }),\n    ),\n  });\n\n  http.route({\n    pathPrefix: routePrefix,\n    method: \"POST\",\n    handler: httpActionGeneric(\n      deps.convertErrorsToResponse(400, async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (route?.protocol === \"saml\" && route.rest.length === 1) {\n          if (route.rest[0] === \"acs\") {\n            return await deps.handleSamlAcs(ctx, request, route);\n          }\n          if (route.rest[0] === \"slo\") {\n            return await deps.handleSamlSlo(ctx, request, route);\n          }\n        }\n        if (route?.protocol === \"scim\" && route.rest[0] === \"v2\") {\n          return await deps.handleScimRequest(ctx, request);\n        }\n        throw Cv.error({\n          code: \"INVALID_PARAMETERS\",\n          message: \"Invalid enterprise runtime path.\",\n        });\n      }),\n    ),\n  });\n\n  http.route({\n    pathPrefix: routePrefix,\n    method: \"PUT\",\n    handler: httpActionGeneric(\n      deps.convertErrorsToResponse(400, async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (route?.protocol === \"scim\" && route.rest[0] === \"v2\") {\n          return await deps.handleScimRequest(ctx, request);\n        }\n        throw Cv.error({\n          code: \"INVALID_PARAMETERS\",\n          message: \"Invalid enterprise runtime path.\",\n        });\n      }),\n    ),\n  });\n\n  for (const method of [\"PATCH\", \"DELETE\"] as const) {\n    http.route({\n      pathPrefix: routePrefix,\n      method,\n      handler: httpActionGeneric(async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (!route || route.protocol !== \"scim\" || route.rest[0] !== \"v2\") {\n          return deps.scimError(404, \"notFound\", \"SCIM resource not found.\");\n        }\n        return await deps.handleScimRequest(ctx, request);\n      }),\n    });\n  }\n}\n"],"mappings":";;;;;;;;;AA0JA,SAAS,yBAAyB;AAChC,QAAO,GAAG,MAAM;EACd,MAAM;EACN,SAAS;EACV,CAAC;;AAGJ,eAAe,kBACb,MACA,KACA,SACiC;CACjC,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,KAAI,CAAC,YAAY,WAAW,aAAa,CACvC,QAAO;AAGT,KAAI;EACF,MAAM,WAAW,MAAM,KAAK,IAAI,OAAO,KAAK,WAAW,MAAM,EAAE,CAAC;AAEhE,SAAO;GACL,GAFkB,MAAM,sBAAsB,MAAM,KAAK,SAAS,OAAO;GAGzE,QAAQ;GACR,KAAK;IACH,QAAQ,SAAS;IACjB,OAAO,SAAS;IAChB,QAAQ,SAAS;IAClB;GACF;SACK;AACN,SAAO;;;AAIX,eAAe,uBACb,MACA,KACA,SACiC;CACjC,MAAM,gBAAgB,MAAM,iBAAiB,IAAI;AACjD,KAAI,kBAAkB,KAEpB,QAAO;EACL,GAFkB,MAAM,sBAAsB,MAAM,KAAK,cAAc;EAGvE,QAAQ;EACR,KAAK;EACN;AAGH,QAAO,MAAM,kBAAkB,MAAM,KAAK,QAAQ;;;;;;AAOpD,SAAgB,kBAAkB,MAWhC;AACA,SAAQ,OACN,KACA,SACA,WACG;EACH,MAAM,iBAAiB,uBAAuB,MAAM,KAAK,QAAQ;EACjE,MAAM,eAAe,QAAQ,cACzB,MAAM,OAAO,YAAY,KAAK,SAAS,GACvC;EACJ,MAAM,WACJ,iBAAiB,SAAY,MAAM,UAAU,GAAG;AAElD,MAAI,aAAa,MAAM;AACrB,OAAI,QAAQ,aAAa,KACvB,OAAM,wBAAwB;AAEhC,UAAO;IACL,GAAG,kCAAkC;IACrC,QAAQ;IACR,KAAK;IACN;;EAGH,MAAM,QAAQ,QAAQ,UAClB,MAAM,OAAO,QAAQ,KAAK,SAAS,MAAM,SAAS,GAClD,EAAE;AAEN,SAAO;GACL,GAAG;GACH,GAAG;GACJ;;;AAeL,SAAgB,iBAAiB,MAE9B;AACD,SACE,SAIA,YAIG;EACH,MAAM,aAAa,SAAS,QAAQ,EAAE;EACtC,MAAM,cAAsC;GAC1C,+BAA+B,WAAW,UAAU;GACpD,gCACE,WAAW,WAAW;GACxB,gCACE,WAAW,WAAW;GACzB;AAED,SAAO,kBAAkB,OAAO,YAAY,YAAY;AACtD,UAAO,GAAG,IACR,GAAG,KAAK;IACN,IAAI,YAAY;KACd,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,SAAI,CAAC,YAAY,WAAW,UAAU,CACpC,QAAO,IAAI,SACT,KAAK,UAAU;MACb,OAAO;MACP,MAAM;MACP,CAAC,EACF;MACE,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CACF;KAEH,MAAM,SAAS,WAAW,MAAM,EAAE;KAElC,MAAM,YAAY,MAAM,GAAG,IACzB,GAAG,cACK,KAAK,IAAI,OAAO,YAAY,OAAO,GACxC,cAAY;MAAE,IAAI;MAAM,OAAOA;MAAQ,IACvC,WAAW;MAAE,IAAI;MAAO;MAAO,EACjC,CACF;AAED,SAAI,CAAC,UAAU,IAAI;AACjB,UACE,UAAU,iBAAiB,eAC3B,OAAO,UAAU,MAAM,SAAS,YAChC,UAAU,MAAM,SAAS,QACzB,UAAU,UAAU,MAAM,QAC1B,aAAa,UAAU,MAAM,MAC7B;OACA,MAAM,EAAE,MAAM,YAAY,UAAU,MAAM;AAI1C,cAAO,IAAI,SAAS,KAAK,UAAU;QAAE,OAAO;QAAS;QAAM,CAAC,EAAE;QAC5D,QAAQ;QACR,SAAS;SACP,GAAG;SACH,gBAAgB;SACjB;QACF,CAAC;;AAEJ,YAAM,UAAU;;AAGlB,SACE,SAAS,SACT,CAAC,UAAU,MAAM,OAAO,IACtB,QAAQ,MAAM,UACd,QAAQ,MAAM,OACf,CAED,QAAO,IAAI,SACT,KAAK,UAAU;MACb,OAAO;MACP,MAAM;MACP,CAAC,EACF;MACE,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CACF;KAUH,MAAM,SAAS,MAAM,QAPD,OAAO,OAAO,YAAY,EAC5C,KAAK;MACH,QAAQ,UAAU,MAAM;MACxB,OAAO,UAAU,MAAM;MACvB,QAAQ,UAAU,MAAM;MACzB,EACF,CAAC,EACwC,QAAQ;AAElD,SAAI,kBAAkB,UAAU;MAC9B,MAAM,UAAU,IAAI,QAAQ,OAAO,QAAQ;AAC3C,WAAK,MAAM,CAAC,GAAG,QAAQ,OAAO,QAAQ,YAAY,CAChD,KAAI,CAAC,QAAQ,IAAI,EAAE,CAAE,SAAQ,IAAI,GAAG,IAAI;AAE1C,aAAO,IAAI,SAAS,OAAO,MAAM;OAC/B,QAAQ,OAAO;OACf,YAAY,OAAO;OACnB;OACD,CAAC;;AAGJ,YAAO,IAAI,SAAS,KAAK,UAAU,OAAO,EAAE;MAC1C,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CAAC;;IAEJ,MAAM,UAAU;IACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAU;AACpB,aAAS,MAAM;AACf,WAAO,GAAG,QACR,IAAI,SACF,KAAK,UAAU;KACb,OAAO;KACP,MAAM;KACP,CAAC,EACF;KACE,QAAQ;KACR,SAAS;MACP,GAAG;MACH,gBAAgB;MACjB;KACF,CACF,CACF;KACD,CACH,CACF;IACD;;;AAIN,SAAgB,gBACd,YACA;AACA,SACE,MACA,gBAUG;EACH,MAAM,aAAa,YAAY,QAAQ,EAAE;EACzC,MAAM,cAAsC;GAC1C,+BAA+B,WAAW,UAAU;GACpD,gCACE,WAAW,WAAW;GACxB,gCACE,WAAW,WAAW;GACzB;AAED,OAAK,MAAM;GACT,MAAM,YAAY;GAClB,QAAQ;GACR,SAAS,kBAAkB,YAAY;AACrC,WAAO,IAAI,SAAS,MAAM;KAAE,QAAQ;KAAK,SAAS;KAAa,CAAC;KAChE;GACH,CAAC;AAEF,OAAK,MAAM;GACT,MAAM,YAAY;GAClB,QAAQ,YAAY;GACpB,SAAS,WAAW,YAAY,SAAS;IACvC,OAAO,YAAY;IACnB,MAAM,YAAY;IACnB,CAAC;GACH,CAAC;;;AAIN,SAAgB,wBACd,iBACA,QACA;AACA,QAAO,OAAO,KAA4B,YAAqB;AAC7D,SAAO,GAAG,IACR,GAAG,KAAK;GACN,UAAU,OAAO,KAAK,QAAQ;GAC9B,MAAM,UAAU;GACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAU;AACpB,OACE,iBAAiB,eACjB,OAAO,MAAM,SAAS,YACtB,MAAM,SAAS,QACf,UAAU,MAAM,QAChB,aAAa,MAAM,KAEnB,QAAO,GAAG,QACR,IAAI,SACF,KAAK,UAAU;IACb,MAAM,MAAM,KAAK;IACjB,SAAS,MAAM,KAAK;IACrB,CAAC,EACF;IACE,QAAQ;IACR,SAAS,EAAE,gBAAgB,oBAAoB;IAChD,CACF,CACF;YACQ,iBAAiB,YAC1B,QAAO,GAAG,QACR,IAAI,SAAS,MAAM;IACjB,QAAQ;IACR,YACE,OAAO,MAAM,SAAS,WAAW,MAAM,OAAO;IACjD,CAAC,CACH;QACI;AACL,aAAS,MAAM;AACf,WAAO,GAAG,QACR,IAAI,SAAS,MAAM;KACjB,QAAQ;KACR,YAAY;KACb,CAAC,CACH;;IAEH,CACH,CACF;;;AAIL,SAAgB,WACd,SACoC;AACpC,QAAOC,MAAa,QAAQ,QAAQ,IAAI,SAAS,IAAI,GAAG;;AAU1D,SAAS,4BACP,UACA,WACwB;CACxB,MAAM,gBAAgB,GAAG,UAAU;CAInC,MAAM,CAAC,qBAAqB,UAAU,GAAG,QAHpB,SAAS,WAAW,cAAc,GACnD,SAAS,MAAM,cAAc,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,QAAQ,GAC/D,EAAE;AAEN,KACE,wBAAwB,UACvB,aAAa,UAAU,aAAa,UAAU,aAAa,UAC5D,KAAK,WAAW,EAEhB,QAAO;AAET,QAAO;EACL;EACA,cAAc;EACd;EACA;EACD;;AAGH,SAAgB,gBACd,MACA,MAIA;CACA,MAAM,eACJ;AAEF,MAAK,MAAM;EACT,MAAM;EACN,QAAQ;EACR,SAAS,kBAAkB,YAAY;GACrC,MAAM,SAAS,KAAK,WAAW;AAC/B,UAAO,IAAI,SACT,KAAK,UAAU;IACb;IACA,UAAU,GAAG,OAAO;IACrB,CAAC,EACF;IACE,QAAQ;IACR,SAAS;KACP,gBAAgB;KAChB,iBAAiB;KAClB;IACF,CACF;IACD;EACH,CAAC;AAEF,MAAK,MAAM;EACT,MAAM;EACN,QAAQ;EACR,SAAS,kBAAkB,YAAY;AACrC,UAAO,IAAI,SAAS,KAAK,SAAS,EAAE;IAClC,QAAQ;IACR,SAAS;KACP,gBAAgB;KAChB,iBAAiB;KAClB;IACF,CAAC;IACF;EACH,CAAC;;AAGJ,SAAgB,cACd,MACA,MAUA;AACA,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBAAkB,KAAK,aAAa;EAC9C,CAAC;CAEF,MAAM,kBAAkB,kBAAkB,KAAK,eAAe;AAE9D,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS;EACV,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS;EACV,CAAC;;AAGJ,SAAgB,aACd,MACA,MAuCA;CACA,MAAM,cAAc,GAAG,KAAK,UAAU;AAEtC,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,CAAC,MACH,OAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;AAEJ,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACxD,QAAI,MAAM,KAAK,OAAO,WACpB,QAAO,MAAM,KAAK,mBAAmB,KAAK,SAAS,MAAM;AAE3D,QAAI,MAAM,KAAK,OAAO,SACpB,QAAO,MAAM,KAAK,iBAAiB,KAAK,SAAS,MAAM;AAEzD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;AAEtD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;;AAGxD,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACxD,QAAI,MAAM,KAAK,OAAO,SACpB,QAAO,MAAM,KAAK,iBAAiB,KAAK,SAAS,MAAM;AAEzD,QAAI,MAAM,KAAK,OAAO,WACpB,QAAO,MAAM,KAAK,mBAAmB,KAAK,SAAS,MAAM;;AAG7D,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,OAAO,KACjD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;IACF,CACH;EACF,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACzD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;AAEtD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;;AAGxD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,OAAO,KAClD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;IACF,CACH;EACF,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,OAAO,KAClD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;IACF,CACH;EACF,CAAC;AAEF,MAAK,MAAM,UAAU,CAAC,SAAS,SAAS,CACtC,MAAK,MAAM;EACT,YAAY;EACZ;EACA,SAAS,kBAAkB,OAAO,KAAK,YAAY;GACjD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,CAAC,SAAS,MAAM,aAAa,UAAU,MAAM,KAAK,OAAO,KAC3D,QAAO,KAAK,UAAU,KAAK,YAAY,2BAA2B;AAEpE,UAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;IACjD;EACH,CAAC"}

package/dist/server/identity.d.ts

@@ -1 +0,0 @@
-export { };

package/dist/server/identity.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"identity.js","names":[],"sources":["../../src/server/identity.ts"],"sourcesContent":["import { Cv } from \"@robelest/fx/convex\";\n\n/** @internal */\nexport function userIdFromIdentitySubject(subject: string): string {\n  const [userId, ...rest] = subject.split(\"|\");\n  if (\n    typeof userId !== \"string\" ||\n    userId.length === 0 ||\n    rest.length === 0 ||\n    rest.some((segment) => segment.length === 0)\n  ) {\n    throw Cv.error({\n      code: \"INTERNAL_ERROR\",\n      message: \"Authenticated identity subject is malformed.\",\n    });\n  }\n  return userId;\n}\n"],"mappings":";;;;AAGA,SAAgB,0BAA0B,SAAyB;CACjE,MAAM,CAAC,QAAQ,GAAG,QAAQ,QAAQ,MAAM,IAAI;AAC5C,KACE,OAAO,WAAW,YAClB,OAAO,WAAW,KAClB,KAAK,WAAW,KAChB,KAAK,MAAM,YAAY,QAAQ,WAAW,EAAE,CAE5C,OAAM,GAAG,MAAM;EACb,MAAM;EACN,SAAS;EACV,CAAC;AAEJ,QAAO"}

package/dist/server/keys.d.ts

@@ -1 +0,0 @@
-export { };

package/dist/server/keys.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"keys.js","names":[],"sources":["../../src/server/keys.ts"],"sourcesContent":["/**\n * API Key crypto utilities.\n *\n * Uses `@oslojs/crypto` primitives for key generation and hashing:\n * - SHA-256 for hashing keys (API keys have high entropy, no need for bcrypt)\n * - Cryptographically secure random generation for key material\n *\n * @module\n */\n\nimport type { KeyScope, ScopeChecker } from \"./types\";\nimport { sha256, generateRandomString } from \"./utils\";\n\n// ============================================================================\n// Constants\n// ============================================================================\n\nconst DEFAULT_KEY_PREFIX = \"sk_\";\nconst KEY_RANDOM_LENGTH = 32;\nconst KEY_RANDOM_ALPHABET =\n  \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\n\n/**\n * How many characters of the full key to store as the visible prefix.\n * Includes the prefix string (e.g. \"sk_\") plus a few random chars.\n */\nconst VISIBLE_PREFIX_EXTRA_CHARS = 4;\n\n// ============================================================================\n// Key generation\n// ============================================================================\n\n/**\n * Generate a new API key.\n *\n * Returns the raw key (to be shown once to the user) and metadata for storage.\n * The raw key is `{prefix}{32 random alphanumeric chars}`.\n *\n * @param prefix - Key prefix, defaults to \"sk_\"\n * @returns `{ raw, hashedKey, displayPrefix }`\n */\n/** @internal */\nexport async function generateApiKey(\n  prefix: string = DEFAULT_KEY_PREFIX,\n): Promise<{\n  /** The full raw key — show to user once, never store. */\n  raw: string;\n  /** SHA-256 hex hash of the raw key — store this. */\n  hashedKey: string;\n  /** Truncated prefix for display (e.g. \"sk_aBc1...\"). */\n  displayPrefix: string;\n}> {\n  const randomPart = generateRandomString(\n    KEY_RANDOM_LENGTH,\n    KEY_RANDOM_ALPHABET,\n  );\n  const raw = `${prefix}${randomPart}`;\n  const hashedKey = await sha256(raw);\n  const displayPrefix = `${raw.substring(0, prefix.length + VISIBLE_PREFIX_EXTRA_CHARS)}...`;\n\n  return { raw, hashedKey, displayPrefix };\n}\n\n/**\n * Hash a raw API key for lookup.\n *\n * Used during Bearer token verification to find the stored key record.\n */\n/** @internal */\nexport async function hashApiKey(rawKey: string): Promise<string> {\n  return sha256(rawKey);\n}\n\n// ============================================================================\n// Scope checker\n// ============================================================================\n\n/**\n * Build a `ScopeChecker` from an array of `KeyScope` entries.\n *\n * The checker provides a `.can(resource, action)` method that returns `true`\n * if any scope entry grants the requested permission.\n *\n * A wildcard action `\"*\"` grants all actions on that resource.\n * A wildcard resource `\"*\"` grants the action on all resources.\n */\n/** @internal */\nexport function buildScopeChecker(scopes: KeyScope[]): ScopeChecker {\n  return {\n    scopes,\n    can(resource: string, action: string): boolean {\n      return scopes.some(\n        (scope) =>\n          (scope.resource === resource || scope.resource === \"*\") &&\n          (scope.actions.includes(action) || scope.actions.includes(\"*\")),\n      );\n    },\n  };\n}\n\n// ============================================================================\n// Per-key rate limiting (token-bucket)\n// ============================================================================\n\n/**\n * Check whether a key is rate-limited based on its stored state.\n *\n * Uses the same token-bucket algorithm as sign-in rate limiting:\n * tokens refill linearly over the configured window.\n *\n * @returns `{ limited: boolean; newState: { attemptsLeft, lastAttemptTime } }`\n */\n/** @internal */\nexport function checkKeyRateLimit(\n  rateLimit: { maxRequests: number; windowMs: number },\n  state: { attemptsLeft: number; lastAttemptTime: number } | undefined,\n): {\n  limited: boolean;\n  newState: { attemptsLeft: number; lastAttemptTime: number };\n} {\n  const now = Date.now();\n\n  if (!state) {\n    // First request — create initial state with one token consumed.\n    return {\n      limited: false,\n      newState: {\n        attemptsLeft: rateLimit.maxRequests - 1,\n        lastAttemptTime: now,\n      },\n    };\n  }\n\n  const elapsed = now - state.lastAttemptTime;\n  const refillRate = rateLimit.maxRequests / rateLimit.windowMs;\n  const refilled = Math.min(\n    rateLimit.maxRequests,\n    state.attemptsLeft + elapsed * refillRate,\n  );\n\n  if (refilled < 1) {\n    return {\n      limited: true,\n      newState: {\n        attemptsLeft: refilled,\n        lastAttemptTime: now,\n      },\n    };\n  }\n\n  return {\n    limited: false,\n    newState: {\n      attemptsLeft: refilled - 1,\n      lastAttemptTime: now,\n    },\n  };\n}\n"],"mappings":";;;AAiBA,MAAM,qBAAqB;AAC3B,MAAM,oBAAoB;AAC1B,MAAM,sBACJ;;;;;AAMF,MAAM,6BAA6B;;;;;;;;;;;AAgBnC,eAAsB,eACpB,SAAiB,oBAQhB;CAKD,MAAM,MAAM,GAAG,SAJI,qBACjB,mBACA,oBACD;AAKD,QAAO;EAAE;EAAK,WAHI,MAAM,OAAO,IAAI;EAGV,eAFH,GAAG,IAAI,UAAU,GAAG,OAAO,SAAS,2BAA2B,CAAC;EAE9C;;;;;;;;AAS1C,eAAsB,WAAW,QAAiC;AAChE,QAAO,OAAO,OAAO;;;;;;;;;;;;AAiBvB,SAAgB,kBAAkB,QAAkC;AAClE,QAAO;EACL;EACA,IAAI,UAAkB,QAAyB;AAC7C,UAAO,OAAO,MACX,WACE,MAAM,aAAa,YAAY,MAAM,aAAa,SAClD,MAAM,QAAQ,SAAS,OAAO,IAAI,MAAM,QAAQ,SAAS,IAAI,EACjE;;EAEJ;;;;;;;;;;;AAgBH,SAAgB,kBACd,WACA,OAIA;CACA,MAAM,MAAM,KAAK,KAAK;AAEtB,KAAI,CAAC,MAEH,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc,UAAU,cAAc;GACtC,iBAAiB;GAClB;EACF;CAGH,MAAM,UAAU,MAAM,MAAM;CAC5B,MAAM,aAAa,UAAU,cAAc,UAAU;CACrD,MAAM,WAAW,KAAK,IACpB,UAAU,aACV,MAAM,eAAe,UAAU,WAChC;AAED,KAAI,WAAW,EACb,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc;GACd,iBAAiB;GAClB;EACF;AAGH,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc,WAAW;GACzB,iBAAiB;GAClB;EACF"}

package/dist/server/limits.d.ts

@@ -1 +0,0 @@
-export { };

package/dist/server/limits.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"limits.js","names":[],"sources":["../../src/server/limits.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { ConvexError } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\n\nconst DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;\n\n/**\n * Check whether the given identifier is currently rate-limited.\n */\n/** @internal */\nexport const isSignInRateLimited = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<boolean, ConvexError<any>> =>\n  getRateLimitState(ctx, identifier, config).pipe(\n    Fx.map((state) => state !== null && state.attemptsLeft < 1),\n  );\n\n/**\n * Record a failed sign-in attempt for the given identifier.\n *\n * If a record exists, decrement; otherwise create.\n */\n/** @internal */\nexport const recordFailedSignIn = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<void, ConvexError<any>> =>\n  Fx.gen(function* () {\n    const state = yield* getRateLimitState(ctx, identifier, config);\n    if (state !== null) {\n      yield* Fx.promise(() =>\n        authDb(ctx, config).rateLimits.patch(state.limit._id, {\n          attemptsLeft: state.attemptsLeft - 1,\n          lastAttemptTime: Date.now(),\n        }),\n      );\n    } else {\n      yield* Fx.promise(() =>\n        authDb(ctx, config).rateLimits.create({\n          identifier,\n          attemptsLeft:\n            (config.signIn?.maxFailedAttemptsPerHour ??\n              DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR) - 1,\n          lastAttemptTime: Date.now(),\n        }),\n      );\n    }\n  });\n\n/**\n * Reset the rate limit for the given identifier (e.g. after successful sign-in).\n */\n/** @internal */\nexport const resetSignInRateLimit = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<void, ConvexError<any>> =>\n  Fx.gen(function* () {\n    const state = yield* getRateLimitState(ctx, identifier, config);\n    if (state !== null) {\n      yield* Fx.promise(() =>\n        authDb(ctx, config).rateLimits.delete(state.limit._id),\n      );\n    }\n  });\n\n// ---------------------------------------------------------------------------\n// Internal\n// ---------------------------------------------------------------------------\n\ntype RateLimitState = {\n  limit: Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number };\n  attemptsLeft: number;\n} | null;\n\nconst getRateLimitState = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<RateLimitState, ConvexError<any>> =>\n  Fx.gen(function* () {\n    const now = Date.now();\n    const maxAttemptsPerHour =\n      config.signIn?.maxFailedAttemptsPerHour ??\n      DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR;\n\n    const limit = (yield* Fx.promise(() =>\n      authDb(ctx, config).rateLimits.get(identifier),\n    )) as\n      | (Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number })\n      | null;\n    if (limit === null) return null;\n    const elapsed = now - limit.lastAttemptTime;\n    const maxAttemptsPerMs = maxAttemptsPerHour / (60 * 60 * 1000);\n    const attemptsLeft = Math.min(\n      maxAttemptsPerHour,\n      limit.attemptsLeft + elapsed * maxAttemptsPerMs,\n    );\n    return { limit, attemptsLeft };\n  });\n"],"mappings":";;;;AAOA,MAAM,wCAAwC;;;;;AAM9C,MAAa,uBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,KAAK,UAAU,UAAU,QAAQ,MAAM,eAAe,EAAE,CAC5D;;;;;;;AAQH,MAAa,sBACX,KACA,YACA,WAEA,GAAG,IAAI,aAAa;CAClB,MAAM,QAAQ,OAAO,kBAAkB,KAAK,YAAY,OAAO;AAC/D,KAAI,UAAU,KACZ,QAAO,GAAG,cACR,OAAO,KAAK,OAAO,CAAC,WAAW,MAAM,MAAM,MAAM,KAAK;EACpD,cAAc,MAAM,eAAe;EACnC,iBAAiB,KAAK,KAAK;EAC5B,CAAC,CACH;KAED,QAAO,GAAG,cACR,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO;EACpC;EACA,eACG,OAAO,QAAQ,4BACd,yCAAyC;EAC7C,iBAAiB,KAAK,KAAK;EAC5B,CAAC,CACH;EAEH;;;;;AAMJ,MAAa,wBACX,KACA,YACA,WAEA,GAAG,IAAI,aAAa;CAClB,MAAM,QAAQ,OAAO,kBAAkB,KAAK,YAAY,OAAO;AAC/D,KAAI,UAAU,KACZ,QAAO,GAAG,cACR,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO,MAAM,MAAM,IAAI,CACvD;EAEH;AAWJ,MAAM,qBACJ,KACA,YACA,WAEA,GAAG,IAAI,aAAa;CAClB,MAAM,MAAM,KAAK,KAAK;CACtB,MAAM,qBACJ,OAAO,QAAQ,4BACf;CAEF,MAAM,QAAS,OAAO,GAAG,cACvB,OAAO,KAAK,OAAO,CAAC,WAAW,IAAI,WAAW,CAC/C;AAGD,KAAI,UAAU,KAAM,QAAO;CAC3B,MAAM,UAAU,MAAM,MAAM;CAC5B,MAAM,mBAAmB,sBAAsB,OAAU;AAKzD,QAAO;EAAE;EAAO,cAJK,KAAK,IACxB,oBACA,MAAM,eAAe,UAAU,iBAChC;EAC6B;EAC9B"}

package/dist/server/mounts.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"mounts.d.ts","names":[],"sources":["../../src/server/mounts.ts"],"mappings":";;;;;;;;AAgCA;;;;;AAiBA;;;;;;;;KAjBY,yBAAA;;;;AAkDZ;;;KAjCY,iCAAA;EAmCH,2DAjCP,MAAA,UAkCU;EAhCV,UAAA,EAAY,yBAAA,EA8BL;EA5BP,YAAA,WA4BA;EA1BA,OAAA,WA2BA;EAzBA,eAAA;AAAA;;AA0BiB;;;;;;;;;AAEiC;;;;;;;;;;KALxC,oBAAA,IACV,GAAA;EAAO,IAAA,EADuB,cAAA,CACO,IAAA;AAAA,GACrC,KAAA,EAAO,iCAAA,KACJ,OAAA;AAAA,KAEA,OAAA;EAAoC,EAAA,EAAI,OAAA;AAAA;AAAA,KAExC,wBAAA;EACH,KAAA;IACE,UAAA,GAAa,oBAAA;IACb,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU,OAAA,CAAQ,OAAA;EAAA;AAAA;;;;;;;;;;;;;;;;;;;;;KAwBxB,sBAAA;EACV,KAAA;IACE,UAAA,EAAY,oBAAA;IACZ,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU,OAAA,CAAQ,OAAA;EAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAqJpB,GAAA,wBACS,uBAAA,yBAAA,CAEvB,IAAA,EAAM,IAAA,CACJ,OAAA,CAAQ,cAAA,4CAGV,OAAA,GAAU,wBAAA,CAAyB,UAAA,CAAW,cAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAkgBhC,IAAA,wBACS,uBAAA,yBAAA,CAEvB,IAAA,EAAM,IAAA,CAAK,OAAA,CAAQ,cAAA,gCACnB,OAAA,GAAU,wBAAA,CAAyB,UAAA,CAAW,cAAA;;;;;;;;;;;;;;;;AAJhD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAmFgB,UAAA,wBACS,uBAAA,yBAAA,CAEvB,IAAA,EAAM,IAAA,CACJ,OAAA,CAAQ,cAAA,qDAGV,OAAA,EAAS,sBAAA,CAAuB,UAAA,CAAW,cAAA"}

package/dist/server/mounts.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"mounts.js","names":[],"sources":["../../src/server/mounts.ts"],"sourcesContent":["import { Cv } from \"@robelest/fx/convex\";\nimport { actionGeneric, mutationGeneric, queryGeneric } from \"convex/server\";\nimport { ConvexError, v } from \"convex/values\";\n\nimport type { AuthApi } from \"./auth\";\nimport {\n  enterpriseConnectionWhereValidator,\n  enterpriseDomainInputValidator,\n  enterpriseDomainVerificationInputValidator,\n  enterprisePolicyPatchValidator,\n  enterpriseSamlAttributeMappingValidator,\n  enterpriseSamlSpValidator,\n  enterpriseStatusValidator,\n} from \"./enterprise/validators\";\nimport type { AuthAuthorizationConfig, AuthRoleId } from \"./types\";\n\n/**\n * Permission identifiers used by mounted enterprise admin APIs.\n *\n * These permission strings are passed to your {@link EnterpriseAuthorizer}\n * callback so app code can decide whether the current user may perform a\n * specific SSO or SCIM management operation.\n *\n * @example\n * ```ts\n * const authorized: EnterpriseAuthorizer = async (ctx, input) => {\n *   if (input.permission === \"sso.connection.create\") {\n *     // Only org admins may create SSO connections\n *   }\n * };\n * ```\n */\nexport type EnterpriseAdminPermission =\n  | \"sso.connection.create\"\n  | \"sso.connection.read\"\n  | \"sso.connection.manage\"\n  | \"sso.domain.manage\"\n  | \"sso.protocol.manage\"\n  | \"sso.policy.manage\"\n  | \"sso.audit.read\"\n  | \"sso.webhook.manage\"\n  | \"scim.manage\";\n\n/**\n * Input passed to an {@link EnterpriseAuthorizer}.\n *\n * Contains the acting user, the requested permission, and the resolved\n * enterprise/group scope for the operation being authorized.\n */\nexport type EnterpriseAdminAuthorizationInput = {\n  /** The signed-in user's ID performing the admin action. */\n  userId: string;\n  /** The {@link EnterpriseAdminPermission} being requested. */\n  permission: EnterpriseAdminPermission;\n  /** Enterprise document ID, if the operation targets a specific enterprise. */\n  enterpriseId?: string;\n  /** Group document ID, if explicitly provided by the caller. */\n  groupId?: string;\n  /** Resolved group ID from the enterprise record, or `null` when no enterprise context. */\n  resolvedGroupId: string | null;\n};\n\n/**\n * App-defined authorization hook for mounted enterprise admin APIs.\n *\n * Return `void` (or resolve) to allow the operation, or throw to deny it.\n *\n * @param ctx - Convex context with `ctx.auth` for identity checks.\n * @param input - The {@link EnterpriseAdminAuthorizationInput} describing who is doing what.\n * @returns `void` to allow; throw to deny.\n *\n * @example\n * ```ts\n * import { EnterpriseAuthorizer } from \"@robelest/convex-auth/server\";\n *\n * const authorized: EnterpriseAuthorizer = async (ctx, input) => {\n *   const identity = await ctx.auth.getUserIdentity();\n *   if (!identity) throw new Error(\"Forbidden\");\n *   // Allow all admin ops for the org owner\n * };\n * ```\n */\nexport type EnterpriseAuthorizer = (\n  ctx: { auth: import(\"convex/server\").Auth },\n  input: EnterpriseAdminAuthorizationInput,\n) => Promise<void>;\n\ntype RoleRef<TRoleId extends string> = { id: TRoleId };\n\ntype MountedEnterpriseOptions<TRoleId extends string = string> = {\n  admin?: {\n    authorized?: EnterpriseAuthorizer;\n    roles?: Array<TRoleId | RoleRef<TRoleId>>;\n  };\n};\n\n/**\n * Configuration for {@link enterprise}, {@link sso}, and {@link scim}\n * mounted admin APIs.\n *\n * @typeParam TRoleId - Role IDs that may be assigned to enterprise creators.\n *\n * @example\n * ```ts\n * import { enterprise, EnterpriseMountOptions } from \"@robelest/convex-auth/server\";\n *\n * const options: EnterpriseMountOptions = {\n *   admin: {\n *     authorized: async (ctx, input) => {\n *       // Verify the user has permission for `input.permission`\n *     },\n *     roles: [\"admin\", \"owner\"],\n *   },\n * };\n * ```\n */\nexport type EnterpriseMountOptions<TRoleId extends string = string> = {\n  admin: {\n    authorized: EnterpriseAuthorizer;\n    roles?: Array<TRoleId | RoleRef<TRoleId>>;\n  };\n};\n\ntype MountedEnterpriseTarget = {\n  enterpriseId?: string;\n  groupId?: string;\n  domain?: string;\n};\n\nfunction requireSignedInUser(auth: Pick<AuthApi, \"context\">) {\n  return async (ctx: {\n    auth: import(\"convex/server\").Auth;\n  }): Promise<string | null> => {\n    return (await auth.context(ctx as never, { optional: true })).userId;\n  };\n}\n\nfunction normalizeCreatorRoleIds<TRoleId extends string>(\n  roles?: Array<TRoleId | RoleRef<TRoleId>>,\n) {\n  return roles?.map((role) => (typeof role === \"string\" ? role : role.id));\n}\n\nasync function resolveMountedEnterpriseTarget(\n  auth: Pick<AuthApi, \"sso\">,\n  ctx: { auth: import(\"convex/server\").Auth },\n  target: MountedEnterpriseTarget,\n) {\n  if (target.groupId !== undefined) {\n    return {\n      enterpriseId: target.enterpriseId,\n      groupId: target.groupId,\n      resolvedGroupId: target.groupId,\n    };\n  }\n\n  if (target.enterpriseId !== undefined) {\n    const enterprise = await auth.sso.admin.connection.get(\n      ctx as never,\n      target.enterpriseId,\n    );\n    if (enterprise === null) {\n      throw new ConvexError({\n        code: \"INVALID_PARAMETERS\",\n        message: \"Enterprise not found.\",\n      });\n    }\n    return {\n      enterpriseId: enterprise._id,\n      groupId: enterprise.groupId,\n      resolvedGroupId: enterprise.groupId,\n    };\n  }\n\n  if (target.domain !== undefined) {\n    const resolved = await auth.sso.admin.connection.getByDomain(\n      ctx as never,\n      target.domain,\n    );\n    if (resolved?.enterprise === undefined) {\n      throw new ConvexError({\n        code: \"INVALID_PARAMETERS\",\n        message: \"Enterprise not found.\",\n      });\n    }\n    return {\n      enterpriseId: resolved.enterprise._id,\n      groupId: resolved.enterprise.groupId,\n      resolvedGroupId: resolved.enterprise.groupId,\n    };\n  }\n\n  return {\n    enterpriseId: undefined,\n    groupId: undefined,\n    resolvedGroupId: null,\n  };\n}\n\nfunction createMountedAdminAuthorizer(\n  auth: Pick<AuthApi, \"context\" | \"sso\">,\n  options?: MountedEnterpriseOptions,\n) {\n  const requireUserId = requireSignedInUser(auth);\n\n  return async (\n    ctx: { auth: import(\"convex/server\").Auth },\n    permission: EnterpriseAdminPermission,\n    target: MountedEnterpriseTarget = {},\n  ) => {\n    const userId = await requireUserId(ctx);\n    if (userId === null) {\n      throw Cv.error({\n        code: \"NOT_SIGNED_IN\",\n        message: \"You must be signed in to perform this action.\",\n      });\n    }\n    if (!options?.admin?.authorized) {\n      throw Cv.error({\n        code: \"FORBIDDEN\",\n        message: \"Access denied.\",\n      });\n    }\n    const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);\n    await options.admin.authorized(ctx, {\n      userId,\n      permission,\n      enterpriseId: resolved.enterpriseId,\n      groupId: resolved.groupId,\n      resolvedGroupId: resolved.resolvedGroupId,\n    });\n    return { userId, ...resolved };\n  };\n}\n\n/**\n * Build optional public SSO management actions that apps can mount under\n * `convex/auth/sso/**` when they want client-callable enterprise APIs.\n *\n * `admin` is for tenant-admin control-plane operations and should be mounted\n * with an explicit authorization policy. `client` is for end-user sign-in\n * helpers and does not require tenant-admin authorization.\n *\n * @param auth - Auth API subset providing `group`, `member`, `sso`, and `user` namespaces.\n * @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.\n * @typeParam TAuthorization - Optional authorization config for typed role IDs.\n * @returns An object with `admin` (connection CRUD, OIDC/SAML protocol config, policy,\n *   audit, webhooks, domain management) and `client` (signIn, metadata) namespaces.\n *\n * @example\n * ```ts\n * // convex/auth/sso.ts\n * import { sso } from \"@robelest/convex-auth/server\";\n * import { auth } from \"../auth\";\n *\n * const mounted = sso(auth, {\n *   admin: {\n *     authorized: async (ctx, input) => { /* check permissions *\\/ },\n *   },\n * });\n *\n * export const createConnection = mounted.admin.connection.create;\n * export const signIn = mounted.client.signIn;\n * ```\n *\n * @see {@link scim}\n * @see {@link enterprise}\n */\nexport function sso<\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n>(\n  auth: Pick<\n    AuthApi<TAuthorization>,\n    \"context\" | \"group\" | \"member\" | \"sso\"\n  >,\n  options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>,\n) {\n  const authorize = createMountedAdminAuthorizer(auth, options);\n  const adminRoleIds = normalizeCreatorRoleIds(options?.admin?.roles);\n\n  return {\n    admin: {\n      connection: {\n        create: mutationGeneric({\n          args: {\n            groupId: v.optional(v.string()),\n            name: v.optional(v.string()),\n            slug: v.optional(v.string()),\n            status: v.optional(enterpriseStatusValidator),\n            domain: v.optional(v.string()),\n          },\n          handler: async (ctx, args) => {\n            const authResult = await authorize(ctx, \"sso.connection.create\", {\n              groupId: args.groupId,\n            });\n            const { userId } = authResult;\n            const createsGroup = args.groupId === undefined;\n            const groupId =\n              args.groupId ??\n              (\n                await auth.group.create(ctx as never, {\n                  name: args.name?.trim() || args.slug?.trim() || \"Enterprise\",\n                  slug: args.slug,\n                  type: \"enterprise\",\n                })\n              ).groupId;\n            if (createsGroup) {\n              await auth.member.create(ctx as never, {\n                groupId,\n                userId,\n                roleIds: adminRoleIds,\n              });\n            }\n            const created = await auth.sso.admin.connection.create(\n              ctx as never,\n              {\n                groupId,\n                name: args.name,\n                slug: args.slug,\n                status: args.status,\n              },\n            );\n            if (args.domain) {\n              await auth.sso.admin.connection.domain.set(\n                ctx as never,\n                created.enterpriseId,\n                [{ domain: args.domain, isPrimary: true }],\n              );\n            }\n            return {\n              ...created,\n              groupId,\n              createdGroup: createsGroup,\n            };\n          },\n        }),\n        get: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.connection.read\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.connection.get(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n        getByGroup: queryGeneric({\n          args: { groupId: v.string() },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.connection.read\", {\n              groupId: args.groupId,\n            });\n            return await auth.sso.admin.connection.getByGroup(\n              ctx as never,\n              args.groupId,\n            );\n          },\n        }),\n        getByDomain: queryGeneric({\n          args: { domain: v.string() },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.connection.read\", {\n              domain: args.domain,\n            });\n            return await auth.sso.admin.connection.getByDomain(\n              ctx as never,\n              args.domain,\n            );\n          },\n        }),\n        list: queryGeneric({\n          args: {\n            where: v.optional(enterpriseConnectionWhereValidator),\n            limit: v.optional(v.number()),\n            cursor: v.optional(v.union(v.string(), v.null())),\n            orderBy: v.optional(v.string()),\n            order: v.optional(v.union(v.literal(\"asc\"), v.literal(\"desc\"))),\n          },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.connection.read\", {\n              groupId: args.where?.groupId,\n            });\n            return await auth.sso.admin.connection.list(\n              ctx as never,\n              args as never,\n            );\n          },\n        }),\n        update: mutationGeneric({\n          args: {\n            enterpriseId: v.string(),\n            data: v.object({\n              name: v.optional(v.string()),\n              slug: v.optional(v.string()),\n              status: v.optional(enterpriseStatusValidator),\n            }),\n          },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.connection.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            await auth.sso.admin.connection.update(\n              ctx as never,\n              args.enterpriseId,\n              args.data,\n            );\n            return { enterpriseId: args.enterpriseId };\n          },\n        }),\n        delete: mutationGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.connection.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.connection.delete(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n        status: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.connection.read\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.connection.status(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n        domain: {\n          list: queryGeneric({\n            args: { enterpriseId: v.string() },\n            handler: async (ctx, args) => {\n              await authorize(ctx, \"sso.connection.read\", {\n                enterpriseId: args.enterpriseId,\n              });\n              return await auth.sso.admin.connection.domain.list(\n                ctx as never,\n                args.enterpriseId,\n              );\n            },\n          }),\n          validate: queryGeneric({\n            args: { enterpriseId: v.string() },\n            handler: async (ctx, args) => {\n              await authorize(ctx, \"sso.domain.manage\", {\n                enterpriseId: args.enterpriseId,\n              });\n              return await auth.sso.admin.connection.domain.validate(\n                ctx as never,\n                args.enterpriseId,\n              );\n            },\n          }),\n          set: mutationGeneric({\n            args: {\n              enterpriseId: v.string(),\n              domains: v.array(enterpriseDomainInputValidator),\n            },\n            handler: async (ctx, args) => {\n              await authorize(ctx, \"sso.domain.manage\", {\n                enterpriseId: args.enterpriseId,\n              });\n              return await auth.sso.admin.connection.domain.set(\n                ctx as never,\n                args.enterpriseId,\n                args.domains,\n              );\n            },\n          }),\n          verification: {\n            request: mutationGeneric({\n              args: enterpriseDomainVerificationInputValidator,\n              handler: async (ctx, args) => {\n                await authorize(ctx, \"sso.domain.manage\", {\n                  enterpriseId: args.enterpriseId,\n                });\n                return await auth.sso.admin.connection.domain.verification.request(\n                  ctx as never,\n                  args,\n                );\n              },\n            }),\n            confirm: actionGeneric({\n              args: enterpriseDomainVerificationInputValidator,\n              handler: async (ctx, args) => {\n                await authorize(ctx, \"sso.domain.manage\", {\n                  enterpriseId: args.enterpriseId,\n                });\n                return await auth.sso.admin.connection.domain.verification.confirm(\n                  ctx as never,\n                  args,\n                );\n              },\n            }),\n          },\n        },\n      },\n      oidc: {\n        configure: mutationGeneric({\n          args: {\n            enterpriseId: v.string(),\n            issuer: v.optional(v.string()),\n            discoveryUrl: v.optional(v.string()),\n            clientId: v.string(),\n            clientSecret: v.optional(v.string()),\n            scopes: v.optional(v.array(v.string())),\n            authorizationParams: v.optional(v.record(v.string(), v.string())),\n            clockToleranceSeconds: v.optional(v.number()),\n            strictIssuer: v.optional(v.boolean()),\n            extraFields: v.optional(v.record(v.string(), v.string())),\n          },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.protocol.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.oidc.configure(ctx as never, args);\n          },\n        }),\n        get: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.connection.read\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.oidc.get(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n        validate: actionGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.protocol.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.oidc.validate(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n      },\n      saml: {\n        configure: actionGeneric({\n          args: {\n            enterpriseId: v.string(),\n            metadataXml: v.optional(v.string()),\n            metadataUrl: v.optional(v.string()),\n            domains: v.optional(v.array(v.string())),\n            signAuthnRequests: v.optional(v.boolean()),\n            attributeMapping: v.optional(\n              enterpriseSamlAttributeMappingValidator,\n            ),\n            sp: v.optional(enterpriseSamlSpValidator),\n          },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.protocol.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.saml.configure(ctx as never, args);\n          },\n        }),\n        validate: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.protocol.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.saml.validate(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n      },\n      policy: {\n        get: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.connection.read\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.policy.get(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n        update: mutationGeneric({\n          args: {\n            enterpriseId: v.string(),\n            patch: enterprisePolicyPatchValidator,\n          },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.policy.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.policy.update(\n              ctx as never,\n              args.enterpriseId,\n              args.patch,\n            );\n          },\n        }),\n        validate: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.policy.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            return await auth.sso.admin.policy.validate(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n      },\n      audit: {\n        list: queryGeneric({\n          args: {\n            enterpriseId: v.optional(v.string()),\n            groupId: v.optional(v.string()),\n            limit: v.optional(v.number()),\n          },\n          handler: async (ctx, args) => {\n            await authorize(ctx, \"sso.audit.read\", {\n              enterpriseId: args.enterpriseId,\n              groupId: args.groupId,\n            });\n            return await auth.sso.admin.audit.list(ctx as never, args);\n          },\n        }),\n      },\n      webhook: {\n        delivery: {\n          list: queryGeneric({\n            args: {\n              enterpriseId: v.string(),\n              limit: v.optional(v.number()),\n            },\n            handler: async (ctx, args) => {\n              await authorize(ctx, \"sso.webhook.manage\", {\n                enterpriseId: args.enterpriseId,\n              });\n              return await (auth.sso.admin.webhook as any).delivery.list(\n                ctx as never,\n                args,\n              );\n            },\n          }),\n        },\n        endpoint: {\n          create: mutationGeneric({\n            args: {\n              enterpriseId: v.string(),\n              url: v.string(),\n              secret: v.string(),\n              subscriptions: v.array(v.string()),\n              createdByUserId: v.optional(v.string()),\n            },\n            handler: async (ctx, args) => {\n              const authResult = await authorize(ctx, \"sso.webhook.manage\", {\n                enterpriseId: args.enterpriseId,\n              });\n              const { userId } = authResult;\n              const result = await auth.sso.admin.webhook.endpoint.create(\n                ctx as never,\n                {\n                  ...args,\n                  createdByUserId: args.createdByUserId ?? userId,\n                },\n              );\n              return {\n                _id: result.endpointId,\n                enterpriseId: args.enterpriseId,\n                url: args.url,\n                subscriptions: args.subscriptions,\n                createdByUserId: args.createdByUserId ?? userId,\n                status: \"active\",\n                failureCount: 0,\n              };\n            },\n          }),\n          list: queryGeneric({\n            args: { enterpriseId: v.string() },\n            handler: async (ctx, args) => {\n              await authorize(ctx, \"sso.webhook.manage\", {\n                enterpriseId: args.enterpriseId,\n              });\n              const endpoints = await auth.sso.admin.webhook.endpoint.list(\n                ctx as never,\n                args.enterpriseId,\n              );\n              return endpoints.map((endpoint: Record<string, unknown>) => {\n                const { secretHash: _secretHash, ...rest } = endpoint;\n                return rest;\n              });\n            },\n          }),\n          disable: mutationGeneric({\n            args: { endpointId: v.string() },\n            handler: async (ctx, args) => {\n              const endpoint = await auth.sso.admin.webhook.endpoint.get(\n                ctx as never,\n                args.endpointId,\n              );\n              if (!endpoint) {\n                throw Cv.error({\n                  code: \"INVALID_PARAMETERS\",\n                  message: \"Webhook endpoint not found.\",\n                });\n              }\n              await authorize(ctx, \"sso.webhook.manage\", {\n                enterpriseId: endpoint.enterpriseId,\n                groupId: endpoint.groupId,\n              });\n              return await auth.sso.admin.webhook.endpoint.disable(\n                ctx as never,\n                args.endpointId,\n              );\n            },\n          }),\n        },\n      },\n    },\n    client: {\n      signIn: queryGeneric({\n        args: {\n          enterpriseId: v.optional(v.string()),\n          email: v.optional(v.string()),\n          domain: v.optional(v.string()),\n          redirectTo: v.optional(v.string()),\n        },\n        handler: async (ctx, args) => {\n          return await auth.sso.client.signIn(ctx as never, args);\n        },\n      }),\n      metadata: queryGeneric({\n        args: {\n          enterpriseId: v.string(),\n          entityId: v.optional(v.string()),\n          acsUrl: v.optional(v.string()),\n          sloUrl: v.optional(v.string()),\n        },\n        handler: async (ctx, args) => {\n          return await auth.sso.client.metadata(ctx as never, args);\n        },\n      }),\n    },\n  };\n}\n\n/**\n * Build optional public SCIM management actions that apps can mount under\n * `convex/auth/scim/**` when they want client-callable enterprise admin APIs.\n *\n * @param auth - Auth API subset providing `scim`, `sso`, and `user` namespaces.\n * @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.\n * @typeParam TAuthorization - Optional authorization config for typed role IDs.\n * @returns An object with `admin.configure`, `admin.get`, and `admin.validate` actions.\n *\n * @example\n * ```ts\n * // convex/auth/scim.ts\n * import { scim } from \"@robelest/convex-auth/server\";\n * import { auth } from \"../auth\";\n *\n * const mounted = scim(auth, {\n *   admin: {\n *     authorized: async (ctx, input) => { /* check permissions *\\/ },\n *   },\n * });\n *\n * export const configure = mounted.admin.configure;\n * export const get = mounted.admin.get;\n * export const validate = mounted.admin.validate;\n * ```\n *\n * @see {@link sso}\n * @see {@link enterprise}\n */\nexport function scim<\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n>(\n  auth: Pick<AuthApi<TAuthorization>, \"context\" | \"scim\" | \"sso\">,\n  options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>,\n) {\n  const authorize = createMountedAdminAuthorizer(auth, options);\n\n  return {\n    admin: {\n      configure: mutationGeneric({\n        args: {\n          enterpriseId: v.string(),\n          basePath: v.optional(v.string()),\n          status: v.optional(enterpriseStatusValidator),\n        },\n        handler: async (ctx, args) => {\n          await authorize(ctx, \"scim.manage\", {\n            enterpriseId: args.enterpriseId,\n          });\n          return await auth.scim.admin.configure(ctx as never, args);\n        },\n      }),\n      get: queryGeneric({\n        args: { enterpriseId: v.string() },\n        handler: async (ctx, args) => {\n          await authorize(ctx, \"scim.manage\", {\n            enterpriseId: args.enterpriseId,\n          });\n          return await auth.scim.admin.get(ctx as never, args.enterpriseId);\n        },\n      }),\n      validate: queryGeneric({\n        args: { enterpriseId: v.string() },\n        handler: async (ctx, args) => {\n          await authorize(ctx, \"scim.manage\", {\n            enterpriseId: args.enterpriseId,\n          });\n          return await auth.scim.admin.validate(\n            ctx as never,\n            args.enterpriseId,\n          );\n        },\n      }),\n    },\n  };\n}\n\n/**\n * Build a flat mounted enterprise API surface for app-owned Convex exports.\n *\n * Combines {@link sso} and {@link scim} into a single flat object with\n * all SSO connection, protocol, policy, audit, webhook, and SCIM\n * management functions plus end-user sign-in helpers. The `authorized`\n * callback is required for all admin operations.\n *\n * @param auth - Auth API subset providing `group`, `member`, `scim`, `sso`, and `user` namespaces.\n * @param options - Required {@link EnterpriseMountOptions} with an `admin.authorized` callback.\n * @typeParam TAuthorization - Optional authorization config for typed role IDs.\n * @returns A flat object with all enterprise management functions (e.g. `createConnection`,\n *   `configureOidc`, `configureScim`, `signIn`, etc.).\n *\n * @example\n * ```ts\n * // convex/auth/enterprise.ts\n * import { enterprise } from \"@robelest/convex-auth/server\";\n * import { auth } from \"../auth\";\n *\n * const api = enterprise(auth, {\n *   admin: {\n *     authorized: async (ctx, input) => { /* check permissions *\\/ },\n *     roles: [\"admin\"],\n *   },\n * });\n *\n * export const createConnection = api.createConnection;\n * export const configureOidc = api.configureOidc;\n * export const signIn = api.signIn;\n * ```\n *\n * @see {@link sso}\n * @see {@link scim}\n */\nexport function enterprise<\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n>(\n  auth: Pick<\n    AuthApi<TAuthorization>,\n    \"context\" | \"group\" | \"member\" | \"scim\" | \"sso\"\n  >,\n  options: EnterpriseMountOptions<AuthRoleId<TAuthorization>>,\n) {\n  const mountedSso = sso(auth, {\n    admin: options.admin,\n  });\n  const mountedScim = scim(auth, {\n    admin: { authorized: options.admin.authorized },\n  });\n\n  return {\n    createConnection: mountedSso.admin.connection.create,\n    getConnection: mountedSso.admin.connection.get,\n    getConnectionByGroup: mountedSso.admin.connection.getByGroup,\n    getConnectionByDomain: mountedSso.admin.connection.getByDomain,\n    listConnections: mountedSso.admin.connection.list,\n    updateConnection: mountedSso.admin.connection.update,\n    deleteConnection: mountedSso.admin.connection.delete,\n    getConnectionStatus: mountedSso.admin.connection.status,\n    listDomains: mountedSso.admin.connection.domain.list,\n    validateDomains: mountedSso.admin.connection.domain.validate,\n    setDomains: mountedSso.admin.connection.domain.set,\n    requestDomainVerification:\n      mountedSso.admin.connection.domain.verification.request,\n    confirmDomainVerification:\n      mountedSso.admin.connection.domain.verification.confirm,\n    configureOidc: mountedSso.admin.oidc.configure,\n    getOidc: mountedSso.admin.oidc.get,\n    validateOidc: mountedSso.admin.oidc.validate,\n    configureSaml: mountedSso.admin.saml.configure,\n    validateSaml: mountedSso.admin.saml.validate,\n    getPolicy: mountedSso.admin.policy.get,\n    updatePolicy: mountedSso.admin.policy.update,\n    validatePolicy: mountedSso.admin.policy.validate,\n    listAudit: mountedSso.admin.audit.list,\n    createWebhookEndpoint: mountedSso.admin.webhook.endpoint.create,\n    listWebhookEndpoints: mountedSso.admin.webhook.endpoint.list,\n    listWebhookDeliveries: mountedSso.admin.webhook.delivery.list,\n    disableWebhookEndpoint: mountedSso.admin.webhook.endpoint.disable,\n    configureScim: mountedScim.admin.configure,\n    getScim: mountedScim.admin.get,\n    validateScim: mountedScim.admin.validate,\n    signIn: mountedSso.client.signIn,\n    metadata: mountedSso.client.metadata,\n  };\n}\n"],"mappings":";;;;;;AAiIA,SAAS,oBAAoB,MAAgC;AAC3D,QAAO,OAAO,QAEgB;AAC5B,UAAQ,MAAM,KAAK,QAAQ,KAAc,EAAE,UAAU,MAAM,CAAC,EAAE;;;AAIlE,SAAS,wBACP,OACA;AACA,QAAO,OAAO,KAAK,SAAU,OAAO,SAAS,WAAW,OAAO,KAAK,GAAI;;AAG1E,eAAe,+BACb,MACA,KACA,QACA;AACA,KAAI,OAAO,YAAY,OACrB,QAAO;EACL,cAAc,OAAO;EACrB,SAAS,OAAO;EAChB,iBAAiB,OAAO;EACzB;AAGH,KAAI,OAAO,iBAAiB,QAAW;EACrC,MAAM,aAAa,MAAM,KAAK,IAAI,MAAM,WAAW,IACjD,KACA,OAAO,aACR;AACD,MAAI,eAAe,KACjB,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,SAAO;GACL,cAAc,WAAW;GACzB,SAAS,WAAW;GACpB,iBAAiB,WAAW;GAC7B;;AAGH,KAAI,OAAO,WAAW,QAAW;EAC/B,MAAM,WAAW,MAAM,KAAK,IAAI,MAAM,WAAW,YAC/C,KACA,OAAO,OACR;AACD,MAAI,UAAU,eAAe,OAC3B,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,SAAO;GACL,cAAc,SAAS,WAAW;GAClC,SAAS,SAAS,WAAW;GAC7B,iBAAiB,SAAS,WAAW;GACtC;;AAGH,QAAO;EACL,cAAc;EACd,SAAS;EACT,iBAAiB;EAClB;;AAGH,SAAS,6BACP,MACA,SACA;CACA,MAAM,gBAAgB,oBAAoB,KAAK;AAE/C,QAAO,OACL,KACA,YACA,SAAkC,EAAE,KACjC;EACH,MAAM,SAAS,MAAM,cAAc,IAAI;AACvC,MAAI,WAAW,KACb,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,MAAI,CAAC,SAAS,OAAO,WACnB,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;EAEJ,MAAM,WAAW,MAAM,+BAA+B,MAAM,KAAK,OAAO;AACxE,QAAM,QAAQ,MAAM,WAAW,KAAK;GAClC;GACA;GACA,cAAc,SAAS;GACvB,SAAS,SAAS;GAClB,iBAAiB,SAAS;GAC3B,CAAC;AACF,SAAO;GAAE;GAAQ,GAAG;GAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqClC,SAAgB,IAGd,MAIA,SACA;CACA,MAAM,YAAY,6BAA6B,MAAM,QAAQ;CAC7D,MAAM,eAAe,wBAAwB,SAAS,OAAO,MAAM;AAEnE,QAAO;EACL,OAAO;GACL,YAAY;IACV,QAAQ,gBAAgB;KACtB,MAAM;MACJ,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC/B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC5B,QAAQ,EAAE,SAAS,0BAA0B;MAC7C,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC/B;KACD,SAAS,OAAO,KAAK,SAAS;MAI5B,MAAM,EAAE,WAHW,MAAM,UAAU,KAAK,yBAAyB,EAC/D,SAAS,KAAK,SACf,CAAC;MAEF,MAAM,eAAe,KAAK,YAAY;MACtC,MAAM,UACJ,KAAK,YAEH,MAAM,KAAK,MAAM,OAAO,KAAc;OACpC,MAAM,KAAK,MAAM,MAAM,IAAI,KAAK,MAAM,MAAM,IAAI;OAChD,MAAM,KAAK;OACX,MAAM;OACP,CAAC,EACF;AACJ,UAAI,aACF,OAAM,KAAK,OAAO,OAAO,KAAc;OACrC;OACA;OACA,SAAS;OACV,CAAC;MAEJ,MAAM,UAAU,MAAM,KAAK,IAAI,MAAM,WAAW,OAC9C,KACA;OACE;OACA,MAAM,KAAK;OACX,MAAM,KAAK;OACX,QAAQ,KAAK;OACd,CACF;AACD,UAAI,KAAK,OACP,OAAM,KAAK,IAAI,MAAM,WAAW,OAAO,IACrC,KACA,QAAQ,cACR,CAAC;OAAE,QAAQ,KAAK;OAAQ,WAAW;OAAM,CAAC,CAC3C;AAEH,aAAO;OACL,GAAG;OACH;OACA,cAAc;OACf;;KAEJ,CAAC;IACF,KAAK,aAAa;KAChB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,IACrC,KACA,KAAK,aACN;;KAEJ,CAAC;IACF,YAAY,aAAa;KACvB,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE;KAC7B,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,SAAS,KAAK,SACf,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,WACrC,KACA,KAAK,QACN;;KAEJ,CAAC;IACF,aAAa,aAAa;KACxB,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE;KAC5B,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,QAAQ,KAAK,QACd,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,YACrC,KACA,KAAK,OACN;;KAEJ,CAAC;IACF,MAAM,aAAa;KACjB,MAAM;MACJ,OAAO,EAAE,SAAS,mCAAmC;MACrD,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC7B,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;MACjD,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC/B,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC;MAChE;KACD,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,SAAS,KAAK,OAAO,SACtB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,KACrC,KACA,KACD;;KAEJ,CAAC;IACF,QAAQ,gBAAgB;KACtB,MAAM;MACJ,cAAc,EAAE,QAAQ;MACxB,MAAM,EAAE,OAAO;OACb,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;OAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;OAC5B,QAAQ,EAAE,SAAS,0BAA0B;OAC9C,CAAC;MACH;KACD,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,yBAAyB,EAC5C,cAAc,KAAK,cACpB,CAAC;AACF,YAAM,KAAK,IAAI,MAAM,WAAW,OAC9B,KACA,KAAK,cACL,KAAK,KACN;AACD,aAAO,EAAE,cAAc,KAAK,cAAc;;KAE7C,CAAC;IACF,QAAQ,gBAAgB;KACtB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,yBAAyB,EAC5C,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OACrC,KACA,KAAK,aACN;;KAEJ,CAAC;IACF,QAAQ,aAAa;KACnB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OACrC,KACA,KAAK,aACN;;KAEJ,CAAC;IACF,QAAQ;KACN,MAAM,aAAa;MACjB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;MAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,aAAM,UAAU,KAAK,uBAAuB,EAC1C,cAAc,KAAK,cACpB,CAAC;AACF,cAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OAAO,KAC5C,KACA,KAAK,aACN;;MAEJ,CAAC;KACF,UAAU,aAAa;MACrB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;MAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,aAAM,UAAU,KAAK,qBAAqB,EACxC,cAAc,KAAK,cACpB,CAAC;AACF,cAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OAAO,SAC5C,KACA,KAAK,aACN;;MAEJ,CAAC;KACF,KAAK,gBAAgB;MACnB,MAAM;OACJ,cAAc,EAAE,QAAQ;OACxB,SAAS,EAAE,MAAM,+BAA+B;OACjD;MACD,SAAS,OAAO,KAAK,SAAS;AAC5B,aAAM,UAAU,KAAK,qBAAqB,EACxC,cAAc,KAAK,cACpB,CAAC;AACF,cAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OAAO,IAC5C,KACA,KAAK,cACL,KAAK,QACN;;MAEJ,CAAC;KACF,cAAc;MACZ,SAAS,gBAAgB;OACvB,MAAM;OACN,SAAS,OAAO,KAAK,SAAS;AAC5B,cAAM,UAAU,KAAK,qBAAqB,EACxC,cAAc,KAAK,cACpB,CAAC;AACF,eAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OAAO,aAAa,QACzD,KACA,KACD;;OAEJ,CAAC;MACF,SAAS,cAAc;OACrB,MAAM;OACN,SAAS,OAAO,KAAK,SAAS;AAC5B,cAAM,UAAU,KAAK,qBAAqB,EACxC,cAAc,KAAK,cACpB,CAAC;AACF,eAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OAAO,aAAa,QACzD,KACA,KACD;;OAEJ,CAAC;MACH;KACF;IACF;GACD,MAAM;IACJ,WAAW,gBAAgB;KACzB,MAAM;MACJ,cAAc,EAAE,QAAQ;MACxB,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC9B,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;MACpC,UAAU,EAAE,QAAQ;MACpB,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;MACpC,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;MACvC,qBAAqB,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;MACjE,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC7C,cAAc,EAAE,SAAS,EAAE,SAAS,CAAC;MACrC,aAAa,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;MAC1D;KACD,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,KAAK,UAAU,KAAc,KAAK;;KAEjE,CAAC;IACF,KAAK,aAAa;KAChB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,KAAK,IAC/B,KACA,KAAK,aACN;;KAEJ,CAAC;IACF,UAAU,cAAc;KACtB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,KAAK,SAC/B,KACA,KAAK,aACN;;KAEJ,CAAC;IACH;GACD,MAAM;IACJ,WAAW,cAAc;KACvB,MAAM;MACJ,cAAc,EAAE,QAAQ;MACxB,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC;MACnC,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC;MACnC,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;MACxC,mBAAmB,EAAE,SAAS,EAAE,SAAS,CAAC;MAC1C,kBAAkB,EAAE,SAClB,wCACD;MACD,IAAI,EAAE,SAAS,0BAA0B;MAC1C;KACD,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,KAAK,UAAU,KAAc,KAAK;;KAEjE,CAAC;IACF,UAAU,aAAa;KACrB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,KAAK,SAC/B,KACA,KAAK,aACN;;KAEJ,CAAC;IACH;GACD,QAAQ;IACN,KAAK,aAAa;KAChB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,uBAAuB,EAC1C,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,OAAO,IACjC,KACA,KAAK,aACN;;KAEJ,CAAC;IACF,QAAQ,gBAAgB;KACtB,MAAM;MACJ,cAAc,EAAE,QAAQ;MACxB,OAAO;MACR;KACD,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,qBAAqB,EACxC,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,OAAO,OACjC,KACA,KAAK,cACL,KAAK,MACN;;KAEJ,CAAC;IACF,UAAU,aAAa;KACrB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,qBAAqB,EACxC,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAM,KAAK,IAAI,MAAM,OAAO,SACjC,KACA,KAAK,aACN;;KAEJ,CAAC;IACH;GACD,OAAO,EACL,MAAM,aAAa;IACjB,MAAM;KACJ,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;KACpC,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC/B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC9B;IACD,SAAS,OAAO,KAAK,SAAS;AAC5B,WAAM,UAAU,KAAK,kBAAkB;MACrC,cAAc,KAAK;MACnB,SAAS,KAAK;MACf,CAAC;AACF,YAAO,MAAM,KAAK,IAAI,MAAM,MAAM,KAAK,KAAc,KAAK;;IAE7D,CAAC,EACH;GACD,SAAS;IACP,UAAU,EACR,MAAM,aAAa;KACjB,MAAM;MACJ,cAAc,EAAE,QAAQ;MACxB,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC9B;KACD,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAM,UAAU,KAAK,sBAAsB,EACzC,cAAc,KAAK,cACpB,CAAC;AACF,aAAO,MAAO,KAAK,IAAI,MAAM,QAAgB,SAAS,KACpD,KACA,KACD;;KAEJ,CAAC,EACH;IACD,UAAU;KACR,QAAQ,gBAAgB;MACtB,MAAM;OACJ,cAAc,EAAE,QAAQ;OACxB,KAAK,EAAE,QAAQ;OACf,QAAQ,EAAE,QAAQ;OAClB,eAAe,EAAE,MAAM,EAAE,QAAQ,CAAC;OAClC,iBAAiB,EAAE,SAAS,EAAE,QAAQ,CAAC;OACxC;MACD,SAAS,OAAO,KAAK,SAAS;OAI5B,MAAM,EAAE,WAHW,MAAM,UAAU,KAAK,sBAAsB,EAC5D,cAAc,KAAK,cACpB,CAAC;AASF,cAAO;QACL,MARa,MAAM,KAAK,IAAI,MAAM,QAAQ,SAAS,OACnD,KACA;SACE,GAAG;SACH,iBAAiB,KAAK,mBAAmB;SAC1C,CACF,EAEa;QACZ,cAAc,KAAK;QACnB,KAAK,KAAK;QACV,eAAe,KAAK;QACpB,iBAAiB,KAAK,mBAAmB;QACzC,QAAQ;QACR,cAAc;QACf;;MAEJ,CAAC;KACF,MAAM,aAAa;MACjB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;MAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,aAAM,UAAU,KAAK,sBAAsB,EACzC,cAAc,KAAK,cACpB,CAAC;AAKF,eAJkB,MAAM,KAAK,IAAI,MAAM,QAAQ,SAAS,KACtD,KACA,KAAK,aACN,EACgB,KAAK,aAAsC;QAC1D,MAAM,EAAE,YAAY,aAAa,GAAG,SAAS;AAC7C,eAAO;SACP;;MAEL,CAAC;KACF,SAAS,gBAAgB;MACvB,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE;MAChC,SAAS,OAAO,KAAK,SAAS;OAC5B,MAAM,WAAW,MAAM,KAAK,IAAI,MAAM,QAAQ,SAAS,IACrD,KACA,KAAK,WACN;AACD,WAAI,CAAC,SACH,OAAM,GAAG,MAAM;QACb,MAAM;QACN,SAAS;QACV,CAAC;AAEJ,aAAM,UAAU,KAAK,sBAAsB;QACzC,cAAc,SAAS;QACvB,SAAS,SAAS;QACnB,CAAC;AACF,cAAO,MAAM,KAAK,IAAI,MAAM,QAAQ,SAAS,QAC3C,KACA,KAAK,WACN;;MAEJ,CAAC;KACH;IACF;GACF;EACD,QAAQ;GACN,QAAQ,aAAa;IACnB,MAAM;KACJ,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;KACpC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC7B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC9B,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;KACnC;IACD,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAO,MAAM,KAAK,IAAI,OAAO,OAAO,KAAc,KAAK;;IAE1D,CAAC;GACF,UAAU,aAAa;IACrB,MAAM;KACJ,cAAc,EAAE,QAAQ;KACxB,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;KAChC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC9B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC/B;IACD,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAO,MAAM,KAAK,IAAI,OAAO,SAAS,KAAc,KAAK;;IAE5D,CAAC;GACH;EACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCH,SAAgB,KAGd,MACA,SACA;CACA,MAAM,YAAY,6BAA6B,MAAM,QAAQ;AAE7D,QAAO,EACL,OAAO;EACL,WAAW,gBAAgB;GACzB,MAAM;IACJ,cAAc,EAAE,QAAQ;IACxB,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IAChC,QAAQ,EAAE,SAAS,0BAA0B;IAC9C;GACD,SAAS,OAAO,KAAK,SAAS;AAC5B,UAAM,UAAU,KAAK,eAAe,EAClC,cAAc,KAAK,cACpB,CAAC;AACF,WAAO,MAAM,KAAK,KAAK,MAAM,UAAU,KAAc,KAAK;;GAE7D,CAAC;EACF,KAAK,aAAa;GAChB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;GAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,UAAM,UAAU,KAAK,eAAe,EAClC,cAAc,KAAK,cACpB,CAAC;AACF,WAAO,MAAM,KAAK,KAAK,MAAM,IAAI,KAAc,KAAK,aAAa;;GAEpE,CAAC;EACF,UAAU,aAAa;GACrB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;GAClC,SAAS,OAAO,KAAK,SAAS;AAC5B,UAAM,UAAU,KAAK,eAAe,EAClC,cAAc,KAAK,cACpB,CAAC;AACF,WAAO,MAAM,KAAK,KAAK,MAAM,SAC3B,KACA,KAAK,aACN;;GAEJ,CAAC;EACH,EACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCH,SAAgB,WAGd,MAIA,SACA;CACA,MAAM,aAAa,IAAI,MAAM,EAC3B,OAAO,QAAQ,OAChB,CAAC;CACF,MAAM,cAAc,KAAK,MAAM,EAC7B,OAAO,EAAE,YAAY,QAAQ,MAAM,YAAY,EAChD,CAAC;AAEF,QAAO;EACL,kBAAkB,WAAW,MAAM,WAAW;EAC9C,eAAe,WAAW,MAAM,WAAW;EAC3C,sBAAsB,WAAW,MAAM,WAAW;EAClD,uBAAuB,WAAW,MAAM,WAAW;EACnD,iBAAiB,WAAW,MAAM,WAAW;EAC7C,kBAAkB,WAAW,MAAM,WAAW;EAC9C,kBAAkB,WAAW,MAAM,WAAW;EAC9C,qBAAqB,WAAW,MAAM,WAAW;EACjD,aAAa,WAAW,MAAM,WAAW,OAAO;EAChD,iBAAiB,WAAW,MAAM,WAAW,OAAO;EACpD,YAAY,WAAW,MAAM,WAAW,OAAO;EAC/C,2BACE,WAAW,MAAM,WAAW,OAAO,aAAa;EAClD,2BACE,WAAW,MAAM,WAAW,OAAO,aAAa;EAClD,eAAe,WAAW,MAAM,KAAK;EACrC,SAAS,WAAW,MAAM,KAAK;EAC/B,cAAc,WAAW,MAAM,KAAK;EACpC,eAAe,WAAW,MAAM,KAAK;EACrC,cAAc,WAAW,MAAM,KAAK;EACpC,WAAW,WAAW,MAAM,OAAO;EACnC,cAAc,WAAW,MAAM,OAAO;EACtC,gBAAgB,WAAW,MAAM,OAAO;EACxC,WAAW,WAAW,MAAM,MAAM;EAClC,uBAAuB,WAAW,MAAM,QAAQ,SAAS;EACzD,sBAAsB,WAAW,MAAM,QAAQ,SAAS;EACxD,uBAAuB,WAAW,MAAM,QAAQ,SAAS;EACzD,wBAAwB,WAAW,MAAM,QAAQ,SAAS;EAC1D,eAAe,YAAY,MAAM;EACjC,SAAS,YAAY,MAAM;EAC3B,cAAc,YAAY,MAAM;EAChC,QAAQ,WAAW,OAAO;EAC1B,UAAU,WAAW,OAAO;EAC7B"}

package/dist/server/mutations/account.d.ts

@@ -1,29 +0,0 @@
-import { MutationCtx } from "../types.js";
-import { Config, GetProviderOrThrowFunc } from "../crypto.js";
-import { Fx } from "@robelest/fx";
-import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values1 from "convex/values";
-import { ConvexError, Infer } from "convex/values";
-
-//#region src/server/mutations/account.d.ts
-declare const modifyAccountArgs: convex_values1.VObject<{
-  provider: string;
-  account: {
-    id: string;
-    secret: string;
-  };
-}, {
-  provider: convex_values1.VString<string, "required">;
-  account: convex_values1.VObject<{
-    id: string;
-    secret: string;
-  }, {
-    id: convex_values1.VString<string, "required">;
-    secret: convex_values1.VString<string, "required">;
-  }, "required", "id" | "secret">;
-}, "required", "provider" | "account" | "account.id" | "account.secret">;
-declare function modifyAccountImpl(ctx: MutationCtx, args: Infer<typeof modifyAccountArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Fx<void, ConvexError<any>>;
-declare const callModifyAccount: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof modifyAccountArgs>) => Promise<void>;
-//#endregion
-export { callModifyAccount, modifyAccountArgs, modifyAccountImpl };
-//# sourceMappingURL=account.d.ts.map

package/dist/server/mutations/account.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"account.d.ts","names":[],"sources":["../../../src/server/mutations/account.ts"],"mappings":";;;;;;;;cAYa,iBAAA,iBAAiB,OAAA;;;;;;;YAG5B,cAAA,CAAA,OAAA;;;;;;;;;iBAEc,iBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,iBAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,OAAS,WAAA;AAAA,cA6BC,iBAAA,qBAA6C,gBAAA,EACxD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,iBAAA,MAClB,OAAA"}

package/dist/server/mutations/account.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"account.js","names":[],"sources":["../../../src/server/mutations/account.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { ConvexError, Infer, v } from \"convex/values\";\n\nimport { GetProviderOrThrowFunc, hash } from \"../crypto\";\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const modifyAccountArgs = v.object({\n  provider: v.string(),\n  account: v.object({ id: v.string(), secret: v.string() }),\n});\n\nexport function modifyAccountImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof modifyAccountArgs>,\n  getProviderOrThrow: GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<void, ConvexError<any>> {\n  const { provider, account } = args;\n  const db = authDb(ctx, config);\n\n  logWithLevel(LOG_LEVELS.DEBUG, \"modifyAccountImpl args:\", {\n    provider,\n    account: { id: account.id, secret: maybeRedact(account.secret ?? \"\") },\n  });\n\n  return Fx.gen(function* () {\n    const existingAccount = yield* Fx.promise(() =>\n      db.accounts.get(provider, account.id),\n    );\n    if (existingAccount === null) {\n      return yield* Cv.fail({\n        code: \"ACCOUNT_NOT_FOUND\",\n        message: `Cannot modify account with ID ${account.id} because it does not exist`,\n      });\n    }\n    const hashedSecret = yield* hash(\n      getProviderOrThrow(provider),\n      account.secret,\n    );\n    yield* Fx.promise(() =>\n      db.accounts.patch(existingAccount._id, { secret: hashedSecret }),\n    );\n  });\n}\n\nexport const callModifyAccount = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof modifyAccountArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"modifyAccount\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;AAYA,MAAa,oBAAoB,EAAE,OAAO;CACxC,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,QAAQ;EAAE,CAAC;CAC1D,CAAC;AAEF,SAAgB,kBACd,KACA,MACA,oBACA,QAC4B;CAC5B,MAAM,EAAE,UAAU,YAAY;CAC9B,MAAM,KAAK,OAAO,KAAK,OAAO;AAE9B,cAAa,WAAW,OAAO,2BAA2B;EACxD;EACA,SAAS;GAAE,IAAI,QAAQ;GAAI,QAAQ,YAAY,QAAQ,UAAU,GAAG;GAAE;EACvE,CAAC;AAEF,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,QAAQ,GAAG,CACtC;AACD,MAAI,oBAAoB,KACtB,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS,iCAAiC,QAAQ,GAAG;GACtD,CAAC;EAEJ,MAAM,eAAe,OAAO,KAC1B,mBAAmB,SAAS,EAC5B,QAAQ,OACT;AACD,SAAO,GAAG,cACR,GAAG,SAAS,MAAM,gBAAgB,KAAK,EAAE,QAAQ,cAAc,CAAC,CACjE;GACD;;AAGJ,MAAa,oBAAoB,OAC/B,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/code.d.ts

@@ -1,30 +0,0 @@
-import { MutationCtx } from "../types.js";
-import { Config, GetProviderOrThrowFunc } from "../crypto.js";
-import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values18 from "convex/values";
-import { Infer } from "convex/values";
-
-//#region src/server/mutations/code.d.ts
-declare const createVerificationCodeArgs: convex_values18.VObject<{
-  phone?: string | undefined;
-  email?: string | undefined;
-  accountId?: string | undefined;
-  provider: string;
-  allowExtraProviders: boolean;
-  code: string;
-  expirationTime: number;
-}, {
-  accountId: convex_values18.VString<string | undefined, "optional">;
-  provider: convex_values18.VString<string, "required">;
-  email: convex_values18.VString<string | undefined, "optional">;
-  phone: convex_values18.VString<string | undefined, "optional">;
-  code: convex_values18.VString<string, "required">;
-  expirationTime: convex_values18.VFloat64<number, "required">;
-  allowExtraProviders: convex_values18.VBoolean<boolean, "required">;
-}, "required", "phone" | "email" | "provider" | "allowExtraProviders" | "accountId" | "code" | "expirationTime">;
-type ReturnType = string;
-declare function createVerificationCodeImpl(ctx: MutationCtx, args: Infer<typeof createVerificationCodeArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Promise<ReturnType>;
-declare const callCreateVerificationCode: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof createVerificationCodeArgs>) => Promise<ReturnType>;
-//#endregion
-export { callCreateVerificationCode, createVerificationCodeArgs, createVerificationCodeImpl };
-//# sourceMappingURL=code.d.ts.map

package/dist/server/mutations/code.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"code.d.ts","names":[],"sources":["../../../src/server/mutations/code.ts"],"mappings":";;;;;;;cAaa,0BAAA,kBAA0B,OAAA;;;;;;;;;aAQrC,eAAA,CAAA,OAAA;;;;;;;;KAEG,UAAA;AAAA,iBAEiB,0BAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,0BAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,UAAA;AAAA,cAoDE,0BAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,0BAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/mutations/code.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"code.js","names":[],"sources":["../../../src/server/mutations/code.ts"],"sourcesContent":["import { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { EmailConfig, PhoneConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { LOG_LEVELS, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const createVerificationCodeArgs = v.object({\n  accountId: v.optional(v.string()),\n  provider: v.string(),\n  email: v.optional(v.string()),\n  phone: v.optional(v.string()),\n  code: v.string(),\n  expirationTime: v.number(),\n  allowExtraProviders: v.boolean(),\n});\n\ntype ReturnType = string;\n\nexport async function createVerificationCodeImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof createVerificationCodeArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"createVerificationCodeImpl args:\", args);\n  const {\n    email,\n    phone,\n    code,\n    expirationTime,\n    provider: providerId,\n    accountId: existingAccountId,\n    allowExtraProviders,\n  } = args;\n  const db = authDb(ctx, config);\n  const typedExistingAccountId = existingAccountId as\n    | GenericId<\"Account\">\n    | undefined;\n  const existingAccount =\n    typedExistingAccountId !== undefined\n      ? ((await db.accounts.getById(typedExistingAccountId)) ??\n        (() => {\n          throw Cv.error({\n            code: \"ACCOUNT_NOT_FOUND\",\n            message: `Expected an account to exist for ID \"${typedExistingAccountId}\"`,\n          });\n        })())\n      : await db.accounts.get(providerId, email ?? phone!);\n\n  const provider = getProviderOrThrow(providerId, allowExtraProviders) as\n    | EmailConfig\n    | PhoneConfig;\n  const { accountId } = await upsertUserAndAccount(\n    ctx,\n    await getAuthSessionId(ctx),\n    existingAccount !== null\n      ? { existingAccount }\n      : { providerAccountId: email ?? phone! },\n    provider.type === \"email\"\n      ? { type: \"email\", provider, profile: { email: email! } }\n      : { type: \"phone\", provider, profile: { phone: phone! } },\n    config,\n  );\n  await generateUniqueVerificationCode(\n    ctx,\n    accountId,\n    providerId,\n    code,\n    expirationTime,\n    { email, phone },\n    config,\n  );\n  return email ?? phone!;\n}\n\nexport const callCreateVerificationCode = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof createVerificationCodeArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"createVerificationCode\",\n      ...args,\n    },\n  });\n};\n\nasync function generateUniqueVerificationCode(\n  ctx: MutationCtx,\n  accountId: GenericId<\"Account\">,\n  provider: string,\n  code: string,\n  expirationTime: number,\n  { email, phone }: { email?: string; phone?: string },\n  config: Provider.Config,\n) {\n  const db = authDb(ctx, config);\n  const existingCode = await db.verificationCodes.getByAccountId(accountId);\n  if (existingCode !== null) {\n    await db.verificationCodes.delete(existingCode._id);\n  }\n  await db.verificationCodes.create({\n    accountId,\n    provider,\n    code: await sha256(code),\n    expirationTime,\n    emailVerified: email,\n    phoneVerified: phone,\n  });\n}\n"],"mappings":";;;;;;;;;AAaA,MAAa,6BAA6B,EAAE,OAAO;CACjD,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,UAAU,EAAE,QAAQ;CACpB,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,MAAM,EAAE,QAAQ;CAChB,gBAAgB,EAAE,QAAQ;CAC1B,qBAAqB,EAAE,SAAS;CACjC,CAAC;AAIF,eAAsB,2BACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,oCAAoC,KAAK;CACxE,MAAM,EACJ,OACA,OACA,MACA,gBACA,UAAU,YACV,WAAW,mBACX,wBACE;CACJ,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,yBAAyB;CAG/B,MAAM,kBACJ,2BAA2B,SACrB,MAAM,GAAG,SAAS,QAAQ,uBAAuB,WAC5C;AACL,QAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS,wCAAwC,uBAAuB;GACzE,CAAC;KACA,GACJ,MAAM,GAAG,SAAS,IAAI,YAAY,SAAS,MAAO;CAExD,MAAM,WAAW,mBAAmB,YAAY,oBAAoB;CAGpE,MAAM,EAAE,cAAc,MAAM,qBAC1B,KACA,MAAM,iBAAiB,IAAI,EAC3B,oBAAoB,OAChB,EAAE,iBAAiB,GACnB,EAAE,mBAAmB,SAAS,OAAQ,EAC1C,SAAS,SAAS,UACd;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,GACvD;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,EAC3D,OACD;AACD,OAAM,+BACJ,KACA,WACA,YACA,MACA,gBACA;EAAE;EAAO;EAAO,EAChB,OACD;AACD,QAAO,SAAS;;AAGlB,MAAa,6BAA6B,OAGxC,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,eAAe,+BACb,KACA,WACA,UACA,MACA,gBACA,EAAE,OAAO,SACT,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eAAe,MAAM,GAAG,kBAAkB,eAAe,UAAU;AACzE,KAAI,iBAAiB,KACnB,OAAM,GAAG,kBAAkB,OAAO,aAAa,IAAI;AAErD,OAAM,GAAG,kBAAkB,OAAO;EAChC;EACA;EACA,MAAM,MAAM,OAAO,KAAK;EACxB;EACA,eAAe;EACf,eAAe;EAChB,CAAC"}

package/dist/server/mutations/index.d.ts

@@ -1,14 +0,0 @@
-import { callModifyAccount } from "./account.js";
-import { callCreateVerificationCode } from "./code.js";
-import { callInvalidateSessions } from "./invalidate.js";
-import { callUserOAuth } from "./oauth.js";
-import { callRefreshSession } from "./refresh.js";
-import { callCreateAccountFromCredentials } from "./register.js";
-import { callRetrieveAccountWithCredentials } from "./retrieve.js";
-import { callVerifierSignature } from "./signature.js";
-import { callSignIn } from "./signin.js";
-import { callSignOut } from "./signout.js";
-import { storeArgs, storeImpl } from "./store.js";
-import { callVerifier } from "./verifier.js";
-import { callVerifyCodeAndSignIn } from "./verify.js";
-export { callCreateAccountFromCredentials, callCreateVerificationCode, callInvalidateSessions, callModifyAccount, callRefreshSession, callRetrieveAccountWithCredentials, callSignIn, callSignOut, callUserOAuth, callVerifier, callVerifierSignature, callVerifyCodeAndSignIn, storeArgs, storeImpl };

package/dist/server/mutations/invalidate.d.ts

@@ -1,20 +0,0 @@
-import { MutationCtx } from "../types.js";
-import { Config } from "../crypto.js";
-import { Fx } from "@robelest/fx";
-import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values6 from "convex/values";
-import { Infer } from "convex/values";
-
-//#region src/server/mutations/invalidate.d.ts
-declare const invalidateSessionsArgs: convex_values6.VObject<{
-  except?: string[] | undefined;
-  userId: string;
-}, {
-  userId: convex_values6.VString<string, "required">;
-  except: convex_values6.VArray<string[] | undefined, convex_values6.VString<string, "required">, "optional">;
-}, "required", "userId" | "except">;
-declare const callInvalidateSessions: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof invalidateSessionsArgs>) => Promise<void>;
-declare function invalidateSessionsImpl(ctx: MutationCtx, args: Infer<typeof invalidateSessionsArgs>, config: Config): Fx<void, never>;
-//#endregion
-export { callInvalidateSessions, invalidateSessionsArgs, invalidateSessionsImpl };
-//# sourceMappingURL=invalidate.d.ts.map

package/dist/server/mutations/invalidate.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"invalidate.d.ts","names":[],"sources":["../../../src/server/mutations/invalidate.ts"],"mappings":";;;;;;;;cAWa,sBAAA,iBAAsB,OAAA;;;;UAGjC,cAAA,CAAA,OAAA;;;cAEW,sBAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,sBAAA,MAClB,OAAA;AAAA,iBASa,sBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,sBAAA,GACnB,MAAA,EAAQ,MAAA,GACP,EAAA"}

package/dist/server/mutations/invalidate.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"invalidate.js","names":[],"sources":["../../../src/server/mutations/invalidate.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { deleteSession } from \"../sessions\";\nimport { Doc, MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const invalidateSessionsArgs = v.object({\n  userId: v.string(),\n  except: v.optional(v.array(v.string())),\n});\n\nexport const callInvalidateSessions = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof invalidateSessionsArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"invalidateSessions\",\n      ...args,\n    },\n  });\n};\n\nexport function invalidateSessionsImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof invalidateSessionsArgs>,\n  config: Provider.Config,\n): Fx<void, never> {\n  return Fx.gen(function* () {\n    logWithLevel(LOG_LEVELS.DEBUG, \"invalidateSessionsImpl args:\", args);\n    const { userId, except } = args;\n    const exceptSet = new Set(except ?? []);\n    const typedUserId = userId as GenericId<\"User\">;\n    const sessions = (yield* Fx.promise(() =>\n      authDb(ctx, config).sessions.listByUser(typedUserId),\n    )) as Doc<\"Session\">[];\n    yield* Fx.each(sessions, (session: Doc<\"Session\">) =>\n      exceptSet.has(session._id)\n        ? Fx.unit\n        : Fx.promise(() => deleteSession(ctx, session, config)),\n    );\n  });\n}\n"],"mappings":";;;;;;;;AAWA,MAAa,yBAAyB,EAAE,OAAO;CAC7C,QAAQ,EAAE,QAAQ;CAClB,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CACxC,CAAC;AAEF,MAAa,yBAAyB,OAGpC,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,SAAgB,uBACd,KACA,MACA,QACiB;AACjB,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,WAAW,OAAO,gCAAgC,KAAK;EACpE,MAAM,EAAE,QAAQ,WAAW;EAC3B,MAAM,YAAY,IAAI,IAAI,UAAU,EAAE,CAAC;EACvC,MAAM,cAAc;EACpB,MAAM,WAAY,OAAO,GAAG,cAC1B,OAAO,KAAK,OAAO,CAAC,SAAS,WAAW,YAAY,CACrD;AACD,SAAO,GAAG,KAAK,WAAW,YACxB,UAAU,IAAI,QAAQ,IAAI,GACtB,GAAG,OACH,GAAG,cAAc,cAAc,KAAK,SAAS,OAAO,CAAC,CAC1D;GACD"}

package/dist/server/mutations/oauth.d.ts

@@ -1,30 +0,0 @@
-import { MutationCtx } from "../types.js";
-import { Config, GetProviderOrThrowFunc } from "../crypto.js";
-import { Fx } from "@robelest/fx";
-import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values10 from "convex/values";
-import { ConvexError, Infer } from "convex/values";
-
-//#region src/server/mutations/oauth.d.ts
-declare const userOAuthArgs: convex_values10.VObject<{
-  accountExtend?: any;
-  provider: string;
-  signature: string;
-  providerAccountId: string;
-  profile: any;
-}, {
-  provider: convex_values10.VString<string, "required">;
-  providerAccountId: convex_values10.VString<string, "required">;
-  profile: convex_values10.VAny<any, "required", string>;
-  signature: convex_values10.VString<string, "required">;
-  accountExtend: convex_values10.VAny<any, "optional", string>;
-}, "required", "provider" | "signature" | "providerAccountId" | "profile" | "accountExtend" | `profile.${string}` | `accountExtend.${string}`>;
-type ReturnType = string;
-declare function userOAuthImpl(ctx: MutationCtx, args: Infer<typeof userOAuthArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Fx<ReturnType, ConvexError<{
-  code: string;
-  message: string;
-}>>;
-declare const callUserOAuth: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof userOAuthArgs>) => Promise<ReturnType>;
-//#endregion
-export { callUserOAuth, userOAuthArgs, userOAuthImpl };
-//# sourceMappingURL=oauth.d.ts.map

package/dist/server/mutations/oauth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.d.ts","names":[],"sources":["../../../src/server/mutations/oauth.ts"],"mappings":";;;;;;;;cAuBa,aAAA,kBAAa,OAAA;;;;;;;YAMxB,eAAA,CAAA,OAAA;;;;;;KA8CG,UAAA;AAAA,iBAEW,aAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,aAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA,EAAY,WAAA;EAAc,IAAA;EAAc,OAAA;AAAA;AAAA,cAsJjC,aAAA,qBAAyC,gBAAA,EACpD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,aAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/mutations/oauth.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.js","names":[],"sources":["../../../src/server/mutations/oauth.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport type { ConvexError } from \"convex/values\";\nimport { Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { createSyntheticOAuthMaterializedConfig } from \"../enterprise/oidc\";\nimport { normalizeEnterprisePolicy } from \"../enterprise/policy\";\nimport {\n  ENTERPRISE_OIDC_PROVIDER_PREFIX,\n  ENTERPRISE_SAML_PROVIDER_PREFIX,\n  isEnterpriseProviderId,\n} from \"../enterprise/shared\";\nimport { MutationCtx } from \"../types\";\nimport type { AuthProviderMaterializedConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n  provider: v.string(),\n  providerAccountId: v.string(),\n  profile: v.any(),\n  signature: v.string(),\n  accountExtend: v.optional(v.any()),\n});\n\nfunction normalizeAccountExtend(\n  provider: string,\n  providerAccountId: string,\n  accountExtend: unknown,\n) {\n  const baseIdentity: Record<string, unknown> = {\n    type: \"oauth\",\n    provider,\n    providerAccountId,\n  };\n  if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-oidc\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX.length,\n    );\n  }\n  if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-saml\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_SAML_PROVIDER_PREFIX.length,\n    );\n  }\n  const provided =\n    typeof accountExtend === \"object\" &&\n    accountExtend !== null &&\n    !Array.isArray(accountExtend)\n      ? (accountExtend as Record<string, unknown>)\n      : undefined;\n  const providedIdentity =\n    provided &&\n    typeof provided.identity === \"object\" &&\n    provided.identity !== null &&\n    !Array.isArray(provided.identity)\n      ? (provided.identity as Record<string, unknown>)\n      : undefined;\n  return {\n    ...provided,\n    identity: {\n      ...baseIdentity,\n      ...providedIdentity,\n    },\n  };\n}\n\ntype ReturnType = string;\n\nexport function userOAuthImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof userOAuthArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<ReturnType, ConvexError<{ code: string; message: string }>> {\n  return Fx.gen(function* () {\n    logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n    const { profile, provider, providerAccountId, signature, accountExtend } =\n      args;\n    const db = authDb(ctx, config);\n    const existingAccount = yield* Fx.promise(() =>\n      db.accounts.get(provider, providerAccountId),\n    );\n    const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)\n      ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length)\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)\n        : null;\n    const enterprise =\n      enterpriseId !== null\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseGet, {\n              enterpriseId,\n            }),\n          )\n        : null;\n    const enterprisePolicy = enterprise\n      ? normalizeEnterprisePolicy(enterprise.policy)\n      : null;\n    const enterpriseProtocol = provider.startsWith(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX,\n    )\n      ? \"oidc\"\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? \"saml\"\n        : null;\n\n    const existingScimIdentity =\n      enterpriseId !== null &&\n      existingAccount === null &&\n      enterprisePolicy?.provisioning.scimReuse.user === \"externalId\"\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {\n              enterpriseId,\n              resourceType: \"user\",\n              externalId: providerAccountId,\n            }),\n          )\n        : null;\n\n    const verifier = yield* Fx.from({\n      ok: () => db.verifiers.getBySignature(signature),\n      err: () =>\n        Cv.error({\n          code: \"OAUTH_INVALID_STATE\",\n          message: \"Invalid OAuth state. Please try signing in again.\",\n        }),\n    }).pipe(\n      Fx.chain((doc) =>\n        doc === null\n          ? Cv.fail({\n              code: \"OAUTH_INVALID_STATE\",\n              message: \"Invalid OAuth state. Please try signing in again.\",\n            })\n          : Fx.succeed(doc),\n      ),\n    );\n\n    const { accountId } = yield* Fx.promise(() =>\n      upsertUserAndAccount(\n        ctx,\n        verifier.sessionId ?? null,\n        existingAccount !== null ? { existingAccount } : { providerAccountId },\n        {\n          type: \"oauth\",\n          provider: (isEnterpriseProviderId(provider)\n            ? createSyntheticOAuthMaterializedConfig(provider, {\n                accountLinking:\n                  enterpriseProtocol === \"oidc\"\n                    ? enterprisePolicy?.identity.accountLinking.oidc\n                    : enterpriseProtocol === \"saml\"\n                      ? enterprisePolicy?.identity.accountLinking.saml\n                      : undefined,\n              })\n            : getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,\n          profile,\n          accountExtend: normalizeAccountExtend(\n            provider,\n            providerAccountId,\n            accountExtend,\n          ),\n        },\n        config,\n        existingScimIdentity?.userId\n          ? { existingUserId: existingScimIdentity.userId }\n          : undefined,\n      ),\n    );\n\n    // JIT group provisioning: if this is an enterprise SSO sign-in and the\n    // enterprise connection has a groupId, auto-add the user as a member of\n    // that group if they aren't already a member.\n    if (\n      enterpriseId !== null &&\n      enterprisePolicy?.provisioning.jit.mode === \"createUserAndMembership\"\n    ) {\n      const account = yield* Fx.promise(() => db.accounts.getById(accountId));\n      const userId = account?.userId;\n      if (userId) {\n        const groupId = (enterprise as any)?.groupId as string | undefined;\n        if (groupId) {\n          const existingMembership = yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.memberGetByGroupAndUser, {\n              userId,\n              groupId,\n            }),\n          );\n          if (existingMembership === null) {\n            yield* Fx.promise(() =>\n              ctx.runMutation(config.component.public.memberAdd, {\n                groupId,\n                userId,\n                roleIds: enterprisePolicy.provisioning.jit.defaultRoleIds,\n                status: \"active\",\n              }),\n            );\n          }\n        }\n      }\n    }\n\n    const code = generateRandomString(8, \"0123456789\");\n    yield* Fx.promise(() => db.verifiers.delete(verifier._id));\n    const existingVerificationCode = yield* Fx.promise(() =>\n      db.verificationCodes.getByAccountId(accountId),\n    );\n    if (existingVerificationCode !== null) {\n      yield* Fx.promise(() =>\n        db.verificationCodes.delete(existingVerificationCode._id),\n      );\n    }\n    yield* Fx.promise(async () =>\n      db.verificationCodes.create({\n        code: await sha256(code),\n        accountId,\n        provider,\n        expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n        verifier: verifier._id,\n      }),\n    );\n    return code;\n  });\n}\n\nexport const callUserOAuth = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"userOAuth\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;;;AAqBA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC;CACnC,CAAC;AAEF,SAAS,uBACP,UACA,mBACA,eACA;CACA,MAAM,eAAwC;EAC5C,MAAM;EACN;EACA;EACD;AACD,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;AAEH,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;CAEH,MAAM,WACJ,OAAO,kBAAkB,YACzB,kBAAkB,QAClB,CAAC,MAAM,QAAQ,cAAc,GACxB,gBACD;CACN,MAAM,mBACJ,YACA,OAAO,SAAS,aAAa,YAC7B,SAAS,aAAa,QACtB,CAAC,MAAM,QAAQ,SAAS,SAAS,GAC5B,SAAS,WACV;AACN,QAAO;EACL,GAAG;EACH,UAAU;GACR,GAAG;GACH,GAAG;GACJ;EACF;;AAKH,SAAgB,cACd,KACA,MACA,oBACA,QACgE;AAChE,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,SAAS,uBAAuB,KAAK;EAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,WAAW,kBACvD;EACF,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,kBAAkB,CAC7C;EACD,MAAM,eAAe,SAAS,WAAW,gCAAgC,GACrE,SAAS,MAAM,gCAAgC,OAAO,GACtD,SAAS,WAAW,gCAAgC,GAClD,SAAS,MAAM,gCAAgC,OAAO,GACtD;EACN,MAAM,aACJ,iBAAiB,OACb,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,eAAe,EAClD,cACD,CAAC,CACH,GACD;EACN,MAAM,mBAAmB,aACrB,0BAA0B,WAAW,OAAO,GAC5C;EACJ,MAAM,qBAAqB,SAAS,WAClC,gCACD,GACG,SACA,SAAS,WAAW,gCAAgC,GAClD,SACA;EAEN,MAAM,uBACJ,iBAAiB,QACjB,oBAAoB,QACpB,kBAAkB,aAAa,UAAU,SAAS,eAC9C,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,2BAA2B;GAC9D;GACA,cAAc;GACd,YAAY;GACb,CAAC,CACH,GACD;EAEN,MAAM,WAAW,OAAO,GAAG,KAAK;GAC9B,UAAU,GAAG,UAAU,eAAe,UAAU;GAChD,WACE,GAAG,MAAM;IACP,MAAM;IACN,SAAS;IACV,CAAC;GACL,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC,GACF,GAAG,QAAQ,IAAI,CACpB,CACF;EAED,MAAM,EAAE,cAAc,OAAO,GAAG,cAC9B,qBACE,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;GACE,MAAM;GACN,UAAW,uBAAuB,SAAS,GACvC,uCAAuC,UAAU,EAC/C,gBACE,uBAAuB,SACnB,kBAAkB,SAAS,eAAe,OAC1C,uBAAuB,SACrB,kBAAkB,SAAS,eAAe,OAC1C,QACT,CAAC,GACF,mBAAmB,SAAS;GAChC;GACA,eAAe,uBACb,UACA,mBACA,cACD;GACF,EACD,QACA,sBAAsB,SAClB,EAAE,gBAAgB,qBAAqB,QAAQ,GAC/C,OACL,CACF;AAKD,MACE,iBAAiB,QACjB,kBAAkB,aAAa,IAAI,SAAS,2BAC5C;GAEA,MAAM,UADU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC,GAC/C;AACxB,OAAI,QAAQ;IACV,MAAM,UAAW,YAAoB;AACrC,QAAI,SAOF;UAN2B,OAAO,GAAG,cACnC,IAAI,SAAS,OAAO,UAAU,OAAO,yBAAyB;MAC5D;MACA;MACD,CAAC,CACH,MAC0B,KACzB,QAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;MACjD;MACA;MACA,SAAS,iBAAiB,aAAa,IAAI;MAC3C,QAAQ;MACT,CAAC,CACH;;;;EAMT,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,SAAO,GAAG,cAAc,GAAG,UAAU,OAAO,SAAS,IAAI,CAAC;EAC1D,MAAM,2BAA2B,OAAO,GAAG,cACzC,GAAG,kBAAkB,eAAe,UAAU,CAC/C;AACD,MAAI,6BAA6B,KAC/B,QAAO,GAAG,cACR,GAAG,kBAAkB,OAAO,yBAAyB,IAAI,CAC1D;AAEH,SAAO,GAAG,QAAQ,YAChB,GAAG,kBAAkB,OAAO;GAC1B,MAAM,MAAM,OAAO,KAAK;GACxB;GACA;GACA,gBAAgB,KAAK,KAAK,GAAG;GAC7B,UAAU,SAAS;GACpB,CAAC,CACH;AACD,SAAO;GACP;;AAGJ,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/refresh.d.ts

@@ -1,21 +0,0 @@
-import { MutationCtx } from "../types.js";
-import { Config, GetProviderOrThrowFunc } from "../crypto.js";
-import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values16 from "convex/values";
-import { Infer } from "convex/values";
-
-//#region src/server/mutations/refresh.d.ts
-declare const refreshSessionArgs: convex_values16.VObject<{
-  refreshToken: string;
-}, {
-  refreshToken: convex_values16.VString<string, "required">;
-}, "required", "refreshToken">;
-type RefreshResult = null | {
-  token: string;
-  refreshToken: string;
-};
-declare function refreshSessionImpl(ctx: MutationCtx, args: Infer<typeof refreshSessionArgs>, _getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Promise<RefreshResult>;
-declare const callRefreshSession: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof refreshSessionArgs>) => Promise<RefreshResult>;
-//#endregion
-export { callRefreshSession, refreshSessionArgs, refreshSessionImpl };
-//# sourceMappingURL=refresh.d.ts.map

package/dist/server/mutations/refresh.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.d.ts","names":[],"sources":["../../../src/server/mutations/refresh.ts"],"mappings":";;;;;;;cAiBa,kBAAA,EAEX,eAAA,CAF6B,OAAA;;;gBAE7B,eAAA,CAAA,OAAA;AAAA;AAAA,KAEG,aAAA;EACH,KAAA;EACA,YAAA;AAAA;AAAA,iBAiBoB,kBAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,kBAAA,GACnB,mBAAA,EAAqB,sBAAA,EACrB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,aAAA;AAAA,cAmPE,kBAAA,qBAA8C,gBAAA,EACzD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,kBAAA,MAClB,OAAA,CAAQ,aAAA"}

package/dist/server/mutations/refresh.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.js","names":[],"sources":["../../../src/server/mutations/refresh.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { ConvexError, Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport {\n  invalidateRefreshTokensInSubtree,\n  parseRefreshToken,\n  REFRESH_TOKEN_REUSE_WINDOW_MS,\n  refreshTokenIfValid,\n} from \"../refresh\";\nimport { generateTokensForSession } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const refreshSessionArgs = v.object({\n  refreshToken: v.string(),\n});\n\ntype RefreshResult = null | {\n  token: string;\n  refreshToken: string;\n};\n\n// ============================================================================\n// Small helpers for the refresh pipeline\n// ============================================================================\n\n/** A soft refresh failure — logged and collapsed to null at the boundary. */\nclass RefreshFailure {\n  readonly _tag = \"RefreshFailure\" as const;\n  constructor(readonly reason: string) {}\n}\n\n// ============================================================================\n// Main exported function\n// ============================================================================\n\nexport async function refreshSessionImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof refreshSessionArgs>,\n  _getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<RefreshResult> {\n  const db = authDb(ctx, config);\n  const { refreshToken } = args;\n\n  return Fx.run(\n    parseRefreshToken(refreshToken).pipe(\n      Fx.recover((err: ConvexError<any>) =>\n        Fx.fail(new RefreshFailure(err.data.message)),\n      ),\n      Fx.tap(({ refreshTokenId, sessionId: tokenSessionId }) =>\n        Fx.sync(() =>\n          logWithLevel(\n            \"DEBUG\",\n            `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`,\n          ),\n        ),\n      ),\n      Fx.chain(({ refreshTokenId, sessionId: tokenSessionId }) =>\n        refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config).pipe(\n          Fx.chain((validationResult) =>\n            validationResult === null\n              ? Fx.gen(function* () {\n                  yield* Fx.from({\n                    ok: async () => {\n                      const session = await (db as any).sessions.getById(\n                        tokenSessionId,\n                      );\n                      if (session !== null) {\n                        await (db as any).sessions.delete(session._id);\n                      }\n                    },\n                    err: () =>\n                      new RefreshFailure(\n                        \"Skipping invalid session id during refresh cleanup\",\n                      ),\n                  }).pipe(\n                    Fx.recover((f) => {\n                      logWithLevel(\"DEBUG\", f.reason);\n                      return Fx.succeed(undefined as void);\n                    }),\n                  );\n\n                  yield* Fx.from({\n                    ok: () =>\n                      authDb(ctx, config).refreshTokens.deleteAll(\n                        tokenSessionId as any,\n                      ),\n                    err: () =>\n                      new RefreshFailure(\n                        \"Skipping invalid token session id during refresh token cleanup\",\n                      ),\n                  }).pipe(\n                    Fx.recover((f) => {\n                      logWithLevel(\"DEBUG\", f.reason);\n                      return Fx.succeed(undefined as void);\n                    }),\n                  );\n\n                  return null;\n                })\n              : (() => {\n                  const { session } = validationResult;\n                  const sessionId = session._id;\n                  const userId = session.userId;\n                  const tokenFirstUsed =\n                    validationResult.refreshTokenDoc.firstUsedTime;\n                  return tokenFirstUsed === undefined\n                    ? Fx.from({\n                        ok: async () => {\n                          await (db as any).refreshTokens.patch(\n                            refreshTokenId,\n                            {\n                              firstUsedTime: Date.now(),\n                            },\n                          );\n                          const result = await generateTokensForSession(\n                            ctx,\n                            config,\n                            {\n                              userId,\n                              sessionId,\n                              issuedRefreshTokenId: null,\n                              parentRefreshTokenId: refreshTokenId as any,\n                            },\n                          );\n                          const { refreshTokenId: newRefreshTokenId } =\n                            await Fx.run(\n                              parseRefreshToken(result.refreshToken),\n                            );\n                          logWithLevel(\n                            \"DEBUG\",\n                            `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (first use) for new refresh token ${maybeRedact(newRefreshTokenId)}`,\n                          );\n                          return result;\n                        },\n                        err: () =>\n                          new RefreshFailure(\n                            \"Failed during first-use token exchange\",\n                          ),\n                      })\n                    : Fx.from({\n                        ok: () =>\n                          authDb(ctx, config).refreshTokens.getActive(\n                            tokenSessionId as any,\n                          ),\n                        err: () =>\n                          new RefreshFailure(\n                            \"Failed to load active refresh token\",\n                          ),\n                      }).pipe(\n                        Fx.chain((activeRefreshToken) => {\n                          logWithLevel(\n                            \"DEBUG\",\n                            `Active refresh token: ${maybeRedact(activeRefreshToken?._id ?? \"(none)\")}, parent ${maybeRedact(activeRefreshToken?.parentRefreshTokenId ?? \"(none)\")}`,\n                          );\n\n                          const reuseDispatch =\n                            activeRefreshToken !== null &&\n                            activeRefreshToken.parentRefreshTokenId ===\n                              refreshTokenId\n                              ? ({\n                                  tag: \"parentOfActive\",\n                                  activeRefreshToken,\n                                } as const)\n                              : tokenFirstUsed + REFRESH_TOKEN_REUSE_WINDOW_MS >\n                                  Date.now()\n                                ? ({ tag: \"withinReuseWindow\" } as const)\n                                : ({ tag: \"outsideReuseWindow\" } as const);\n\n                          if (reuseDispatch.tag === \"parentOfActive\") {\n                            return Fx.from({\n                              ok: () =>\n                                generateTokensForSession(ctx, config, {\n                                  userId,\n                                  sessionId,\n                                  issuedRefreshTokenId:\n                                    reuseDispatch.activeRefreshToken._id,\n                                  parentRefreshTokenId: refreshTokenId as any,\n                                }),\n                              err: () =>\n                                new RefreshFailure(\n                                  \"Failed to generate tokens for parent reuse\",\n                                ),\n                            }).pipe(\n                              Fx.tap(() =>\n                                Fx.sync(() =>\n                                  logWithLevel(\n                                    \"DEBUG\",\n                                    `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} is parent of active refresh token ${maybeRedact(reuseDispatch.activeRefreshToken._id)}, so returning that token`,\n                                  ),\n                                ),\n                              ),\n                            );\n                          }\n\n                          if (reuseDispatch.tag === \"withinReuseWindow\") {\n                            return Fx.from({\n                              ok: async () => {\n                                const result = await generateTokensForSession(\n                                  ctx,\n                                  config,\n                                  {\n                                    userId,\n                                    sessionId,\n                                    issuedRefreshTokenId: null,\n                                    parentRefreshTokenId: refreshTokenId as any,\n                                  },\n                                );\n                                const { refreshTokenId: newRefreshTokenId } =\n                                  await Fx.run(\n                                    parseRefreshToken(result.refreshToken),\n                                  );\n                                logWithLevel(\n                                  \"DEBUG\",\n                                  `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (reuse) for new refresh token ${maybeRedact(newRefreshTokenId)}`,\n                                );\n                                return result;\n                              },\n                              err: () =>\n                                new RefreshFailure(\n                                  \"Failed to generate tokens for reuse window\",\n                                ),\n                            });\n                          }\n\n                          logWithLevel(\n                            \"ERROR\",\n                            \"Refresh token used outside of reuse window\",\n                          );\n                          logWithLevel(\n                            \"DEBUG\",\n                            `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} being used outside of reuse window, so invalidating all refresh tokens in subtree`,\n                          );\n                          return Fx.from({\n                            ok: async () => {\n                              const tokensToInvalidate =\n                                await invalidateRefreshTokensInSubtree(\n                                  ctx,\n                                  validationResult.refreshTokenDoc,\n                                  config,\n                                );\n                              logWithLevel(\n                                \"DEBUG\",\n                                `Invalidated ${tokensToInvalidate.length} refresh tokens in subtree: ${tokensToInvalidate\n                                  .map((token) => maybeRedact(token._id))\n                                  .join(\", \")}`,\n                              );\n                              return null;\n                            },\n                            err: () =>\n                              new RefreshFailure(\n                                \"Failed to invalidate refresh tokens in subtree\",\n                              ),\n                          });\n                        }),\n                      );\n                })(),\n          ),\n        ),\n      ),\n      Fx.fold({\n        ok: (result) => result,\n        err: (failure) => {\n          logWithLevel(\"DEBUG\", failure.reason);\n          return null;\n        },\n      }),\n    ),\n  );\n}\n\n// ============================================================================\n// Invalid token path — cleanup session and refresh tokens\n// ============================================================================\n\n// ============================================================================\n// Valid token path — dispatch on first-use / parent / reuse-window / stale\n// ============================================================================\n\n// ============================================================================\n// Action-level caller (unchanged — just forwards to mutation)\n// ============================================================================\n\nexport const callRefreshSession = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof refreshSessionArgs>,\n): Promise<RefreshResult> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"refreshSession\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;AAiBA,MAAa,qBAAqB,EAAE,OAAO,EACzC,cAAc,EAAE,QAAQ,EACzB,CAAC;;AAYF,IAAM,iBAAN,MAAqB;CACnB,AAAS,OAAO;CAChB,YAAY,AAAS,QAAgB;EAAhB;;;AAOvB,eAAsB,mBACpB,KACA,MACA,qBACA,QACwB;CACxB,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,EAAE,iBAAiB;AAEzB,QAAO,GAAG,IACR,kBAAkB,aAAa,CAAC,KAC9B,GAAG,SAAS,QACV,GAAG,KAAK,IAAI,eAAe,IAAI,KAAK,QAAQ,CAAC,CAC9C,EACD,GAAG,KAAK,EAAE,gBAAgB,WAAW,qBACnC,GAAG,WACD,aACE,SACA,sCAAsC,YAAY,eAAe,CAAC,eAAe,YAAY,eAAe,GAC7G,CACF,CACF,EACD,GAAG,OAAO,EAAE,gBAAgB,WAAW,qBACrC,oBAAoB,KAAK,gBAAgB,gBAAgB,OAAO,CAAC,KAC/D,GAAG,OAAO,qBACR,qBAAqB,OACjB,GAAG,IAAI,aAAa;AAClB,SAAO,GAAG,KAAK;GACb,IAAI,YAAY;IACd,MAAM,UAAU,MAAO,GAAW,SAAS,QACzC,eACD;AACD,QAAI,YAAY,KACd,OAAO,GAAW,SAAS,OAAO,QAAQ,IAAI;;GAGlD,WACE,IAAI,eACF,qDACD;GACJ,CAAC,CAAC,KACD,GAAG,SAAS,MAAM;AAChB,gBAAa,SAAS,EAAE,OAAO;AAC/B,UAAO,GAAG,QAAQ,OAAkB;IACpC,CACH;AAED,SAAO,GAAG,KAAK;GACb,UACE,OAAO,KAAK,OAAO,CAAC,cAAc,UAChC,eACD;GACH,WACE,IAAI,eACF,iEACD;GACJ,CAAC,CAAC,KACD,GAAG,SAAS,MAAM;AAChB,gBAAa,SAAS,EAAE,OAAO;AAC/B,UAAO,GAAG,QAAQ,OAAkB;IACpC,CACH;AAED,SAAO;GACP,UACK;EACL,MAAM,EAAE,YAAY;EACpB,MAAM,YAAY,QAAQ;EAC1B,MAAM,SAAS,QAAQ;EACvB,MAAM,iBACJ,iBAAiB,gBAAgB;AACnC,SAAO,mBAAmB,SACtB,GAAG,KAAK;GACN,IAAI,YAAY;AACd,UAAO,GAAW,cAAc,MAC9B,gBACA,EACE,eAAe,KAAK,KAAK,EAC1B,CACF;IACD,MAAM,SAAS,MAAM,yBACnB,KACA,QACA;KACE;KACA;KACA,sBAAsB;KACtB,sBAAsB;KACvB,CACF;IACD,MAAM,EAAE,gBAAgB,sBACtB,MAAM,GAAG,IACP,kBAAkB,OAAO,aAAa,CACvC;AACH,iBACE,SACA,aAAa,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,qCAAqC,YAAY,kBAAkB,GACnI;AACD,WAAO;;GAET,WACE,IAAI,eACF,yCACD;GACJ,CAAC,GACF,GAAG,KAAK;GACN,UACE,OAAO,KAAK,OAAO,CAAC,cAAc,UAChC,eACD;GACH,WACE,IAAI,eACF,sCACD;GACJ,CAAC,CAAC,KACD,GAAG,OAAO,uBAAuB;AAC/B,gBACE,SACA,yBAAyB,YAAY,oBAAoB,OAAO,SAAS,CAAC,WAAW,YAAY,oBAAoB,wBAAwB,SAAS,GACvJ;GAED,MAAM,gBACJ,uBAAuB,QACvB,mBAAmB,yBACjB,iBACG;IACC,KAAK;IACL;IACD,GACD,iBAAiB,gCACf,KAAK,KAAK,GACT,EAAE,KAAK,qBAAqB,GAC5B,EAAE,KAAK,sBAAsB;AAEtC,OAAI,cAAc,QAAQ,iBACxB,QAAO,GAAG,KAAK;IACb,UACE,yBAAyB,KAAK,QAAQ;KACpC;KACA;KACA,sBACE,cAAc,mBAAmB;KACnC,sBAAsB;KACvB,CAAC;IACJ,WACE,IAAI,eACF,6CACD;IACJ,CAAC,CAAC,KACD,GAAG,UACD,GAAG,WACD,aACE,SACA,SAAS,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,qCAAqC,YAAY,cAAc,mBAAmB,IAAI,CAAC,2BACnJ,CACF,CACF,CACF;AAGH,OAAI,cAAc,QAAQ,oBACxB,QAAO,GAAG,KAAK;IACb,IAAI,YAAY;KACd,MAAM,SAAS,MAAM,yBACnB,KACA,QACA;MACE;MACA;MACA,sBAAsB;MACtB,sBAAsB;MACvB,CACF;KACD,MAAM,EAAE,gBAAgB,sBACtB,MAAM,GAAG,IACP,kBAAkB,OAAO,aAAa,CACvC;AACH,kBACE,SACA,aAAa,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,iCAAiC,YAAY,kBAAkB,GAC/H;AACD,YAAO;;IAET,WACE,IAAI,eACF,6CACD;IACJ,CAAC;AAGJ,gBACE,SACA,6CACD;AACD,gBACE,SACA,SAAS,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,oFAC5D;AACD,UAAO,GAAG,KAAK;IACb,IAAI,YAAY;KACd,MAAM,qBACJ,MAAM,iCACJ,KACA,iBAAiB,iBACjB,OACD;AACH,kBACE,SACA,eAAe,mBAAmB,OAAO,8BAA8B,mBACpE,KAAK,UAAU,YAAY,MAAM,IAAI,CAAC,CACtC,KAAK,KAAK,GACd;AACD,YAAO;;IAET,WACE,IAAI,eACF,iDACD;IACJ,CAAC;IACF,CACH;KACH,CACT,CACF,CACF,EACD,GAAG,KAAK;EACN,KAAK,WAAW;EAChB,MAAM,YAAY;AAChB,gBAAa,SAAS,QAAQ,OAAO;AACrC,UAAO;;EAEV,CAAC,CACH,CACF;;AAeH,MAAa,qBAAqB,OAChC,KACA,SAC2B;AAC3B,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/register.d.ts

@@ -1,38 +0,0 @@
-import { Doc, MutationCtx } from "../types.js";
-import { Config, GetProviderOrThrowFunc } from "../crypto.js";
-import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values104 from "convex/values";
-import { Infer } from "convex/values";
-
-//#region src/server/mutations/register.d.ts
-declare const createAccountFromCredentialsArgs: convex_values104.VObject<{
-  shouldLinkViaEmail?: boolean | undefined;
-  shouldLinkViaPhone?: boolean | undefined;
-  provider: string;
-  profile: any;
-  account: {
-    secret?: string | undefined;
-    id: string;
-  };
-}, {
-  provider: convex_values104.VString<string, "required">;
-  account: convex_values104.VObject<{
-    secret?: string | undefined;
-    id: string;
-  }, {
-    id: convex_values104.VString<string, "required">;
-    secret: convex_values104.VString<string | undefined, "optional">;
-  }, "required", "id" | "secret">;
-  profile: convex_values104.VAny<any, "required", string>;
-  shouldLinkViaEmail: convex_values104.VBoolean<boolean | undefined, "optional">;
-  shouldLinkViaPhone: convex_values104.VBoolean<boolean | undefined, "optional">;
-}, "required", "provider" | "profile" | `profile.${string}` | "account" | "shouldLinkViaEmail" | "shouldLinkViaPhone" | "account.id" | "account.secret">;
-type ReturnType = {
-  account: Doc<"Account">;
-  user: Doc<"User">;
-};
-declare function createAccountFromCredentialsImpl(ctx: MutationCtx, args: Infer<typeof createAccountFromCredentialsArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Promise<ReturnType>;
-declare const callCreateAccountFromCredentials: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof createAccountFromCredentialsArgs>) => Promise<ReturnType>;
-//#endregion
-export { callCreateAccountFromCredentials, createAccountFromCredentialsArgs, createAccountFromCredentialsImpl };
-//# sourceMappingURL=register.d.ts.map

package/dist/server/mutations/register.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"register.d.ts","names":[],"sources":["../../../src/server/mutations/register.ts"],"mappings":";;;;;;;cAca,gCAAA,mBAAgC,OAAA;;;;;;;;;;YAM3C,gBAAA,CAAA,OAAA;;;;;;;;;;;;KAEG,UAAA;EAAe,OAAA,EAAS,GAAA;EAAgB,IAAA,EAAM,GAAA;AAAA;AAAA,iBAE7B,gCAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,gCAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,UAAA;AAAA,cAiHE,gCAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,gCAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/mutations/register.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"register.js","names":["Provider.verify","Provider.hash"],"sources":["../../../src/server/mutations/register.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { Doc, MutationCtx } from \"../types\";\nimport { ConvexCredentialsConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const createAccountFromCredentialsArgs = v.object({\n  provider: v.string(),\n  account: v.object({ id: v.string(), secret: v.optional(v.string()) }),\n  profile: v.any(),\n  shouldLinkViaEmail: v.optional(v.boolean()),\n  shouldLinkViaPhone: v.optional(v.boolean()),\n});\n\ntype ReturnType = { account: Doc<\"Account\">; user: Doc<\"User\"> };\n\nexport async function createAccountFromCredentialsImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof createAccountFromCredentialsArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"createAccountFromCredentialsImpl args:\", {\n    provider: args.provider,\n    account: {\n      id: args.account.id,\n      secret: maybeRedact(args.account.secret ?? \"\"),\n    },\n  });\n\n  const {\n    provider: providerId,\n    account,\n    profile,\n    shouldLinkViaEmail,\n    shouldLinkViaPhone,\n  } = args;\n  const db = authDb(ctx, config);\n  const provider = getProviderOrThrow(providerId) as ConvexCredentialsConfig;\n\n  return Fx.run(\n    Fx.gen(function* () {\n      const existingAccount = yield* Fx.promise(\n        () =>\n          db.accounts.get(\n            provider.id,\n            account.id,\n          ) as Promise<Doc<\"Account\"> | null>,\n      );\n\n      if (existingAccount !== null) {\n        if (account.secret !== undefined) {\n          const valid = yield* Provider.verify(\n            provider,\n            account.secret,\n            existingAccount.secret ?? \"\",\n          );\n          if (!valid) {\n            return yield* Cv.fail({\n              code: \"ACCOUNT_ALREADY_EXISTS\",\n              message: `Account ${account.id} already exists`,\n            });\n          }\n        }\n\n        const user = yield* Fx.promise(\n          () =>\n            db.users.getById(\n              existingAccount.userId,\n            ) as Promise<Doc<\"User\"> | null>,\n        );\n        if (user === null) {\n          return yield* Cv.fail({\n            code: \"ACCOUNT_NOT_FOUND\",\n            message: `Linked user for account ${account.id} was not found.`,\n          });\n        }\n\n        return { account: existingAccount, user };\n      }\n\n      const secret =\n        account.secret !== undefined\n          ? yield* Provider.hash(provider, account.secret)\n          : undefined;\n\n      const result = yield* Fx.promise(async () =>\n        upsertUserAndAccount(\n          ctx,\n          await getAuthSessionId(ctx),\n          { providerAccountId: account.id, secret },\n          {\n            type: \"credentials\",\n            provider,\n            profile,\n            shouldLinkViaEmail,\n            shouldLinkViaPhone,\n          },\n          config,\n        ),\n      );\n\n      const { userId, accountId } = result as {\n        userId: string;\n        accountId: string;\n      };\n      const [createdAccount, createdUser] = yield* Fx.zip(\n        Fx.promise(\n          () =>\n            db.accounts.getById(accountId) as Promise<Doc<\"Account\"> | null>,\n        ),\n        Fx.promise(\n          () => db.users.getById(userId) as Promise<Doc<\"User\"> | null>,\n        ),\n      );\n\n      if (createdAccount === null) {\n        return yield* Cv.fail({\n          code: \"ACCOUNT_NOT_FOUND\",\n          message: `Created account was not found.`,\n        });\n      }\n      if (createdUser === null) {\n        return yield* Cv.fail({\n          code: \"USER_UPDATE_FAILED\",\n          message: `Created user was not found.`,\n        });\n      }\n\n      return { account: createdAccount, user: createdUser };\n    }),\n  ) as Promise<ReturnType>;\n}\n\nexport const callCreateAccountFromCredentials = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof createAccountFromCredentialsArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"createAccountFromCredentials\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;;AAcA,MAAa,mCAAmC,EAAE,OAAO;CACvD,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAAE,CAAC;CACrE,SAAS,EAAE,KAAK;CAChB,oBAAoB,EAAE,SAAS,EAAE,SAAS,CAAC;CAC3C,oBAAoB,EAAE,SAAS,EAAE,SAAS,CAAC;CAC5C,CAAC;AAIF,eAAsB,iCACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,0CAA0C;EACvE,UAAU,KAAK;EACf,SAAS;GACP,IAAI,KAAK,QAAQ;GACjB,QAAQ,YAAY,KAAK,QAAQ,UAAU,GAAG;GAC/C;EACF,CAAC;CAEF,MAAM,EACJ,UAAU,YACV,SACA,SACA,oBACA,uBACE;CACJ,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,WAAW,mBAAmB,WAAW;AAE/C,QAAO,GAAG,IACR,GAAG,IAAI,aAAa;EAClB,MAAM,kBAAkB,OAAO,GAAG,cAE9B,GAAG,SAAS,IACV,SAAS,IACT,QAAQ,GACT,CACJ;AAED,MAAI,oBAAoB,MAAM;AAC5B,OAAI,QAAQ,WAAW,QAMrB;QAAI,EALU,OAAOA,OACnB,UACA,QAAQ,QACR,gBAAgB,UAAU,GAC3B,EAEC,QAAO,OAAO,GAAG,KAAK;KACpB,MAAM;KACN,SAAS,WAAW,QAAQ,GAAG;KAChC,CAAC;;GAIN,MAAM,OAAO,OAAO,GAAG,cAEnB,GAAG,MAAM,QACP,gBAAgB,OACjB,CACJ;AACD,OAAI,SAAS,KACX,QAAO,OAAO,GAAG,KAAK;IACpB,MAAM;IACN,SAAS,2BAA2B,QAAQ,GAAG;IAChD,CAAC;AAGJ,UAAO;IAAE,SAAS;IAAiB;IAAM;;EAG3C,MAAM,SACJ,QAAQ,WAAW,SACf,OAAOC,KAAc,UAAU,QAAQ,OAAO,GAC9C;EAkBN,MAAM,EAAE,QAAQ,cAhBD,OAAO,GAAG,QAAQ,YAC/B,qBACE,KACA,MAAM,iBAAiB,IAAI,EAC3B;GAAE,mBAAmB,QAAQ;GAAI;GAAQ,EACzC;GACE,MAAM;GACN;GACA;GACA;GACA;GACD,EACD,OACD,CACF;EAMD,MAAM,CAAC,gBAAgB,eAAe,OAAO,GAAG,IAC9C,GAAG,cAEC,GAAG,SAAS,QAAQ,UAAU,CACjC,EACD,GAAG,cACK,GAAG,MAAM,QAAQ,OAAO,CAC/B,CACF;AAED,MAAI,mBAAmB,KACrB,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,MAAI,gBAAgB,KAClB,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS;GACV,CAAC;AAGJ,SAAO;GAAE,SAAS;GAAgB,MAAM;GAAa;GACrD,CACH;;AAGH,MAAa,mCAAmC,OAG9C,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}